Hello!
Lukas Slebodnik писал 2014-11-13 17:16:
I reduced attributes to the next set:
accountExpires
userAccountControl
uSNChanged
whenChanged
homeDirectory //should not be used with AD provider.
What's wrong with it? I have no problems. homeDirectory is for windows,
unixHomeDirectory is for linux, isn't it?
Other attributes are not used by sssd.
Ok, but all listed attributes are not needed for group membership
discovery. If some account expires (accountExpires) or e.g. changing
password is denied (userAccountControl), it doesn't mean it leaves its
groups. Timestamps (uSNChanged, whenChanged) are not important for
groups too. So, i think they should not be needed for group membership
discovery, but it seems they are in sssd (without them things are broken
in my case), unlike winbind. May be NSS algorithm should be fixed in
this way?
---
Best regards,
Sergey Urushkin