Dmitri Pal <dpal <at> redhat.com> writes:
The SSSD expectation is that identity data is domain consistent
meaning that users from domain A are members of groups in domain A
and users in domain B are members of domain B. There is no overlap.
Thanks for the quick reply.
But, something still doesn't make sense to me. Domain A is first in the list,
and returns a gidNumber of 10106 for my account. Domain A has no group with
that gid. It then searched domain B for the group, and finds it. If the
domains were to be treated as independent with no overlap, this should not
happen, right?
This is what suggested to me that both domains would be searched. It's using
information from domain B to fill in gaps in information from domain A.
Is there a pure sss way of using the union of the information from the two
domains? Or, is there a way to specify a domain for sss to use for groups in
the nsswitch.conf file?
Also AFAIR you can't configure two connections from within
one
domain.
What you can do is for groups use
sss ldap
or may be even just ldap
in nsswitch.conf and use SSSD for users and configure nss_ldap for
groups.
I am not sure whether that would work but it is worth a try.
I'll have a go with nss_ldap, but I would much prefer a pure sss configuration.
Thanks again for your help.
_______________________________________________
sssd-users mailing list
sssd-users <at>
lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
sssd-users mailing list
sssd-users <at>
lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users