[SSSD] user and group precedence issue

Ooops :) Ooops again Ok, I see the logic now ( although I'm not completely convinced from a practical point of view to be honnest : a user name could be defined somewhere else, in a referal ldap for example. In that case, should it be an overall group consistency problem if a memberuid was uknown because a referal server is not accessible ? ). Anyway, thank you so much for your responses Simo and Stephen : I'll adapt my view to what is possible then :-) Kindest, --- Olivier 2012/3/14 Simo Sorce <simo(a)redhat.com&gt;: > On Wed, 2012-03-14 at 19:51 +0100, Olivier wrote: >> Simon, > > >> that's where I don't catch ( sorry) : >> >> > You are asking it to know about "unknown" users >> >> If you say in nsswitch.conf : >> >> passwd: local sss >> group: sss local >> >> Then sss should know about users that are in local >> /etc/passwd and may retrieve their groups in ldap ? > > No, sssd is blissfully unaware of what you have in /etc/passwd > or /etc/group, sssd cares only about what exists in ldap to date. > >> Why would that be inconsistent not to insert users >> entries in ldap in that situation ? > > Because in the ldap server there is no corresponding user. If you look > at the ldap tree on its own you see an "unknown" user name as member of > a group. > >> BTW, I don' think that ldap requires that an entry exists >> for a posixgroup memberuid ? > > No the rfc2307 schema does not mandate consistency (the rfc2307bis > schema does mandate it due to use of DNs instead of simple names). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > sssd-devel mailing list > sssd-devel(a)lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel