URL:
https://github.com/SSSD/sssd/pull/5613
Title: #5613: ipa: read auto_private_groups from id range if available
sumit-bose commented:
"""
Hi,
some additional observations. The setting is inherited but only after multiple
refreshes:
```
[root(a)master.ipa.vm /var/log/sssd]# systemctl stop sssd ; rm -rf /var/log/sssd/*
/var/lib/sss/db/* ; systemctl start sssd
[root(a)master.ipa.vm /var/log/sssd]# grep 'mpg m' *
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Range mpg
mode for ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Domain
mpg mode for ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Range mpg
mode for child.ad.vm: default
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Domain
mpg mode for child.ad.vm: false
[root(a)master.ipa.vm /var/log/sssd]# getent passwd dwqdqw(a)fewfw.fewff
[root(a)master.ipa.vm /var/log/sssd]# grep 'mpg m' *
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Range mpg
mode for ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Domain
mpg mode for ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Range mpg
mode for child.ad.vm: default
sssd_ipa.vm.log:(2021-05-05 14:41:22): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Domain
mpg mode for child.ad.vm: false
sssd_ipa.vm.log:(2021-05-05 14:42:30): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Range mpg
mode for ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:42:30): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Domain
mpg mode for ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:42:30): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Range mpg
mode for child.ad.vm: true
sssd_ipa.vm.log:(2021-05-05 14:42:30): [be[ipa.vm]] [ipa_subdom_store] (0x0400): Domain
mpg mode for child.ad.vm: true
```
But even then it looks like a restart is required for the option to start to work.
With `hybrid` it is the same, please note the `hybrid` is special in the sense that it is
completely handled in the responder. While looking at the related commit
2ea38097dc62963403f77c96946a93f8aae11a44 it looks like it is only handled in the nss
responder. Maybe it would be better to move the whole logic into cache_req? But this does
not have to be part of this PR. Here it should be sufficient to make sure the options read
from the server at startup if the cache is empty are available in the nss responder as
well.
bye,
Sumit
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5613#issuecomment-832757212