On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm
configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one
for the ad domain and put specific options into them. Like
[
domain/ad.mydomain2.net
ldap_group_nesting_level = 0
ignore_group_members = True
ldap_use_tokengroups = False
[
domain/domain1.com]
Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone
point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just
join client to IdM using realmd or ipa-client-install. In this case SSSD
via configuration should know only about the domain it is joined to -
the IPA one. The AD domains and forests are discovered dynamically and
internally and do not require any configuration in the SSSD.conf
I suggest you start over with
1. Install IPA.
2. Join a client to IPA using ipa-client or realmd
3. Test that authentication and identity lookups work
4. Establish trust between IPA and AD
5. Try to log with an AD user on the client
In any case you do not need to configure anything manually unless you
have some really corner case in your environment.
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Aviolat Romain
Sent: lundi 2 mars 2015 17:19
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
Unfortunately the logs aren't helpful, It seems that sssd one time went offline but
it's not at all in the same time-frame as when I ran my tests. I also tried to put the
full debug log (0xFFF0).
The thing is that I don't need to enable all those mapping mechanisms because I
don't rely on the AD groups I use FreeIPA to set group membership. So I tried to
deactivate this using the following options, as suggested by lslebodn:
ldap_group_nesting_level = 0
ignore_group_members = True
ldap_use_tokengroups = False
But it the mapping still occurs, as the timeout. It seems that those options are not
working.
Here's my sssd config file.
[
domain/mydomain1.com]
debug_level = 0x07f0
#debug_level = 0xFFF0
ldap_group_nesting_level = 0
ignore_group_members = True
ldap_use_tokengroups = False
#ldap_initgroups_use_matching_rule_in_chain = True ldap_id_mapping = False
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
mydomain1.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname =
kdc.mydomain1.com
chpass_provider = ipa
ipa_server =
kdc.mydomain1.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains =
mydomain1.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
Thanks for your help !
Romain
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: lundi 2 mars 2015 13:50
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On Mon, Mar 02, 2015 at 12:45:19PM +0000, Aviolat Romain wrote:
> I couldn't see a reason too... I'm 100% sure that the infra (AD servers and
network) is always UP. Tell me if I can dig a bit further into some log files.
>
> Thanks again for your help.
>
> Romain
Can you search the logs for a message saying "Going offline" ? IIRC that would
show the spot where SSSD switched from online to offline mode, the logs messages above
that would (hopefully) show the reason.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.