Rowland Penny писал 2014-11-13 18:16:
On 13/11/14 15:04, Lukas Slebodnik wrote:
> On (13/11/14 17:53), Sergey Urushkin wrote:
>> Hello!
>>
>> Lukas Slebodnik писал 2014-11-13 17:16:
>>
>>> I reduced attributes to the next set:
>>> accountExpires
>>> userAccountControl
>>> uSNChanged
>>> whenChanged
>>>
>>> homeDirectory //should not be used with AD provider.
> I should have written: should not be used with AD provider BY DEFAULT
>
>> What's wrong with it? I have no problems. homeDirectory is for
>> windows,
>> unixHomeDirectory is for linux, isn't it?
>>
> of course you can use it if you want.
> SSSD has the configuration option ldap_user_home_directory for this
> purpose.
Well, yes but as far as I can see, you can only set it once, so you
have to choose which users to default to, windows or unix.
In my setup every user has both attributes, windows doesn't care about
unixHomeDirectory and sssd ad provider doesn't care about homeDirectory.
It uses unixHomeDirectory by default(!), if there is no such attribute,
it sets home directory to "/", despite homeDirectory has another value
(UNC path). It works such way at least with 1.11.5 and 1.11.7 for me. I
think that's right default.
---
Best regards,
Sergey Urushkin
Rowland
>
>>> Other attributes are not used by sssd.
>>>
>> Ok, but all listed attributes are not needed for group membership
>> discovery.
>> If some account expires (accountExpires) or e.g. changing password is
>> denied
>> (userAccountControl), it doesn't mean it leaves its groups.
>> Timestamps
>> (uSNChanged, whenChanged) are not important for groups too. So, i
>> think they
>> should not be needed for group membership discovery, but it seems
>> they are in
>> sssd (without them things are broken in my case), unlike winbind. May
>> be NSS
>> algorithm should be fixed in this way?
> I would need to checked code where are this options used and why there
> is a
> problem. I can't say at the moment.
>
> But thank you very much for your investigation.
> At least, we will know how to reproduce problem.
>
> LS
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users