[Freeipa-users] sssd options ignored?

Sumit Bose sbose at redhat.com
Wed Mar 18 07:55:00 UTC 2015 

On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
> On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
> > On Tue, 17 Mar 2015, Gould, Joshua wrote:
> > >I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
> > >to match whats in ipa idrange-find --all for the AD domain.
> > >
> > ># ipa idrange-mod --base-id=100000 --range-size=900000 --rid-base=0
> > >Range name: TEST.OSUWMC_id_range
> > >----------------------------------------
> > >Modified ID range "TEST.OSUWMC_id_range"
> > >----------------------------------------
> > >Range name: TEST.OSUWMC_id_range
> > >First Posix ID of the range: 100000
> > >Number of IDs in the range: 900000
> > >First RID of the corresponding RID range: 0
> > >Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
> > >Range type: Active Directory domain range
> > >
> > >
> > >/etc/sssd/sssd.conf:
> > >[domain/test.osuwmc]
> > >ldap_idmap_range_min = 100000
> > >ldap_idmap_range_size = 900000
> > There is something completely broken here.
> 
> Yes, the sssd.conf configuration :-)
> 
> SSSD will not even read this sssd.conf section, it is just ignored. The
> subdomains are mostly auto-configured, just with several exceptions
> (like subdomain_homedir) where we read the subdomain config from the
> main domain config.
> 
> > You *shouldn't* need to add a
> > separate domain section for any of the domains coming over the forest
> > trust link path _at_all_. SSSD automatically derives all needed
> > parameters for them via its IPA providers for the primary IPA domain.
> > 
> > Jakub, what is going on?
> 
> I would prefer if also Sumit can add his opinon since he authored the ID
> mapping code.

as Alexander said in the other thread, only the IPA domain should be
configured if you want to use IPA and trust. AD domains will be
discovered and ranges will be configured on the IPA server side and IPA
clients will get all information about trusted AD domains from the IPA
server.

So, please remove the section for the AD completely from sssd.conf.

HTH

bye,
Sumit
> 
> But here's how I see it - since you use 'external ID mapping', then you
> should just rely on the properties from the server. The only action to
> take on the client side is to purge the sssd cache on the clients if the
> ID mapping changes, because currently SSSD doesn't handle ID changes.
> 
> And because gracefully handling ID changes is not planned even for the
> next version (1.13), I wonder if it makes sense to add a warning after
> idrange-mod command is run that it's preferable to clean the caches? We
> might also want to add some kind of simple CLI tool (sss_delcache?) so
> that admins don't have to learn where are the caches stored.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list