On pe, 09 heinä 2021, iulian roman via FreeIPA-users wrote:
Thanks for the links. According to the document , override for AD
users
can happen only in Default Trust View, therefore I cannot have the
second host-based view defined. In this case it is absolutely
impossible to make the override for AD users work for both SSSD
versions.
I think you have misunderstood what the documentation is saying.
'Default Trust View' can only contain overrides for users/groups from
trusted AD domains. Other ID views can contain overrides for either IPA
users/group or users/groups from trusted AD domains.
Overrides from ID Views are cummulative: Default Trust View overrides
apply always but host-specific view is applied locally at the host,
after SSSD on the host already received the data from an IPA server.
On IPA server only Default Trust View is applied and it is not possible
to add another view to IPA server.
If you have problems with ID overrides' application on the specific
host, chances are that you have issues with consistency of UID/GID <->
SID mapping in general.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland