Op Woensdag, 24-01-2018 om 17:44 schreef Jakub Hrozek:
> On Wed, Jan 24, 2018 at 05:25:26PM +0100, Franky Van Liedekerke wrote:
> > Op Woensdag, 24-01-2018 om 16:45 schreef Jakub Hrozek:
> > > On Wed, Jan 24, 2018 at 10:10:11AM -0500, Geoff Goehle wrote:
> > > > Sorry about the line breaks. Adding "enable_files_domain =
false" to the [sssd] section fixed the issue. Just out of curiosity, could I ask
what that does? Its not in the man page.
> > >
> > > SSSD has a feature which mirrors the local /etc/passwd and /etc/group
> > > files for faster lookups of local users without having to enable nscd
> > > which is tricky to operate together with sssd, especially if you run
> > > sssd for a remote domain, too:
> > >
https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers
> > > But I'm surprised that Debian would enable this feature without
changing
> > > the nsswitch.conf order like Fedora did. They probably should disable
> > > the files domain by default..
> > >
> > > The files domain is currently identity-only and no authentication is
> > > performed. That, together with the duplicate users and the files domain
> > > running by default has been causing the failures for you..
> >
> > On a side-note: I just tested this enable_files_domain and it seems using it
results in the next domain still being queried for local users (verified by sifting
through the ldap server logs). Using an explicit domain with id_provider=files apparently
works differently (that domain answers and the next one is not queried), which is not very
transparent.
> > Is this expected?
>
> What was the order of the explicit domains? Note the implicit domain is
> always prepended before any other domain..
The order in case of an explicit domain is first the files-based one, then ldap. So the
order is (or should be) identical in both cases.