On Mon, May 06, 2013 at 03:05:08PM +0200, Jakub Hrozek wrote:
On Mon, May 06, 2013 at 08:52:51AM -0400, Simo Sorce wrote:
> On Mon, 2013-05-06 at 10:18 +0200, Jakub Hrozek wrote:
> > On Mon, May 06, 2013 at 10:14:01AM +0200, Jakub Hrozek wrote:
> > > On Mon, May 06, 2013 at 09:40:21AM +0200, Sumit Bose wrote:
> > > > On Sun, May 05, 2013 at 11:21:19PM +0200, Jakub Hrozek wrote:
> > > > > Hi,
> > > > >
> > > > > the attached patch implements the changes described in #1468.
> > > > > itself is implemented in confdb_get_domain_internal, which
> > > > > layering a little because there is some knowledge about the
> > > > > used in the responders, in particular loading the flat name is
> > > > > called if the id_provider equals "AD".
> > > > >
> > > > > Also technically the NetBIOS name could be completely different
> > > > > AD domain name and could have been read from the rootDSE. But
> > > > > I really don't think it's worth it, so I went with a
config option, that
> > > > > would be unset in the vast majority of deployments.
> > > >
> > > > Since I need the SID of the AD domain, e.g. to properly evaluate the
> > > > data in the PAC, I'm working on a patch which tires to read the
> > > > the flat name from AD. I'll try to send it to the list later
> > > >
> > > > I think in general it shouldn't be a problem to have both, config
> > > > and dynamic discovery. I only wonder how to handle the case of
> > > > conflicts, i.e. the configured and discovered value differs.
> > >
> > > But wouldn't there be kind of a chicken-and-egg problem? The
> > > would need to know the flatname in order to send the request to the
> > > correct domain while at the same time you don't know which domain to
> > > send the request to. Or did you plan a similar concept as subdomains?
> > About the conflict -- in general I think that any locally set options
> > should override autodiscovery. But if the autodiscovery worked, would
> > there be a point in the config option at all? I would like to prevent
> > more and more config options for every aspect, the SSSD should Just Work
> > (tm).
> Yes we want SSSD just works, that is why I do not like your patch,. it
> makes it easy to break stuff and it is one more thing to add manually
> (and that is not how just-works works).
> As for discovery: we can list the domains we have configured. Add a call
> to get the short name from the domain after it is initialized and
> backfill the flat name, store the flat name in sysdb so we can pre-fill
> it all the time except the first time.
That's what Sumit's patch will be about. This patch will likely be
This patch is retired in favor of Sumit's "AD: read flat name and SID of
the AD domain" and I'll mark it as "Rejected" in patchwork. If we ever
feel we need an option, we can resurrect it.