[Freeipa-users] sssd options ignored?

[Alexander Bokovoy]

On Wed, 18 Mar 2015, Gould, Joshua wrote:
>
>
>On 3/18/15, 3:55 AM, "Sumit Bose" <sbose at redhat.com> wrote:
>
>>On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
>>> On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
>>> > On Tue, 17 Mar 2015, Gould, Joshua wrote:
>>>
>>> > >/etc/sssd/sssd.conf:
>>> > >[domain/test.osuwmc]
>>> > >ldap_idmap_range_min = 100000
>>> > >ldap_idmap_range_size = 900000
>>> > There is something completely broken here.
>>>
>>> Yes, the sssd.conf configuration :-)
>>>
>>> SSSD will not even read this sssd.conf section, it is just ignored. The
>>> subdomains are mostly auto-configured, just with several exceptions
>>> (like subdomain_homedir) where we read the subdomain config from the
>>> main domain config.
>>>
>>> > You *shouldn't* need to add a
>>> > separate domain section for any of the domains coming over the forest
>>> > trust link path _at_all_. SSSD automatically derives all needed
>>> > parameters for them via its IPA providers for the primary IPA domain.
>>> >
>>> > Jakub, what is going on?
>>>
>>> I would prefer if also Sumit can add his opinon since he authored the ID
>>> mapping code.
>>
>>as Alexander said in the other thread, only the IPA domain should be
>>configured if you want to use IPA and trust. AD domains will be
>>discovered and ranges will be configured on the IPA server side and IPA
>>clients will get all information about trusted AD domains from the IPA
>>server.
>>
>>So, please remove the section for the AD completely from sssd.conf.
>
>I¹ll be happy to remove the AD section from the sssd.conf file and test
>but I think there¹s more going on. The AD section was generated from the
>IPA client install. I never manually added anything other than ³pac² to
>the services line under the [sssd] section and the two ldap_idmap_range
>options.
Show your /var/log/ipaclient-install.log. ipa-client-install has no
support to generate sections for AD at all. 

-- 
/ Alexander Bokovoy