On Wed, Mar 25, 2015 at 07:46:31PM -0400, Dmitri Pal wrote:
On 03/25/2015 05:13 PM, Matt John wrote:
>>On 25 Mar 2015, at 20:53, Michael Ströder <michael(a)stroeder.com> wrote:
>>
>>Matt John wrote:
>>>We currently have two ldap servers (this cannot be changed) where one is
>>>used for user authentication and the other provides information on
>>>automounts. The ldap server used for automounts only contains a subset of
>>>the users in the other ldap server as not all users are able to, or have
>>>the need to, log into our systems.
>>Disclaimer: I have no personal experience with multi-domain sssd config for
distributed users/groups/sudoers/automap entries (except local and LDAP being used
side-by-side).
>>
>>But for forcing all user information to come from the [domain/authd] I'd try
to set:
>>
>>[domain/autofsd]
>>[..]
>>id_provider = none
>>auth_provider = none
>>[..]
>Setting those options for the autofsd results in sssd failing to start. Looking
through the logs nothing jumps out apart form these lines:
>
>[sssd[be[autofsd]]] [be_process_init] (0x0010): fatal error initializing data
providers
>[sssd[be[autofsd]]] [main] (0x0010): Could not initialize backend [2]
>[sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
>[sssd] [mt_svc_exit_handler] (0x0040): Child [autofsd] exited with code [3]
>[sssd] [mt_svc_exit_handler] (0x0010): Process [autofsd], definitely stopped!
>
>_______________________________________________
>sssd-users mailing list
>sssd-users(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Based on what I know about SSSD it might currently assume that automount
data and user data come from the same identity source and share same
connection.
But I would leave to SSSD gurus provide more details in the morning.
I guess we require id_provider to be != none. Sorry, then I lead you
down the wrong path a bit on serverfault. The requirement might be a relic from
the past where domains only served identity and authentication -- I
guess it's time to change it, can you open a ticket?
Also can you try a config like this (again, untested):
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, autofs
domains = authd, autofsd
[nss]
filter_groups = root
filter_users = root
[pam]
[autofs]
[domain/autofsd]
# The local database would be empty
id_provider = local
auth_provider = none
ldap_id_use_start_tls = True
cache_credentials = False
# You can also set the ldap_search_base to a part of the tree that only serves autofs
data
ldap_search_base =
dc=test,dc=example.com
ldap_uri =
ldap://ldap1.example.com/
ldap_tls_cacert = /etc/ssl/certs/example.pem
autofs_provider = ldap
ldap_autofs_search_base =
dc=test,dc=example.com
[domain/authd]
# This domain is unchanged