Title: #522: Prepare SSSD to support IPA in trust to Samba AD
I only scrolled through the patches, I must admit I didn't do any testing yet.
For the search bases, I would just appreciate a more descriptive variable names than
Is the TDO lookup something that also the clients do or only masters do? The first patch
touches both cases, but I think it might improve performance if we only set multiple
search bases on the IPA servers. In general I'm somewhat concerned about performance
implications because two search bases mean that anything that doesn't hit the first
search base also hits the second one. And in the typical case, this might be either local
users (because of the way libc behaves, it tries to find group memberships across all
databases) or, in case of trusts, we first try to match a name against the ID views before
the trusted domain, now we'd have to try for the ID view in two bases. This is OK if
it's done only on the master, but if this was done on the clients as well, I wonder if
we had to improve the heuristics or add a filter to the search base.
btw is adding the filter something we should do anyway to speed up the lookup? In this
case, we do know what the server is, so we might as well ask the 389 developers if they
have any recommendation.
About the keytab patch, this really needs careful testing. At the very least, we also have
codepaths for one-way or two-way trusts that also set different options (I guess
that's where the principal and the keytab get propagated into the low-level sdap
code). Did you test the lookups with both one-way and two-way trusts after the change or
would you prefer if I (or someone else, see below) try to run the available tests?
finally please note I'll be mostly away much of the next week -- I hope others can
chime in as well if this PR is urgent, otherwise I'll see what I can do.
See the full comment at https://github.com/SSSD/sssd/pull/522#issuecomment-368657139