On Wed, Mar 25, 2015 at 07:46:31PM -0400, Dmitri Pal wrote:
On 03/25/2015 05:13 PM, Matt John wrote:
On 25 Mar 2015, at 20:53, Michael Ströder michael@stroeder.com wrote:
Matt John wrote:
We currently have two ldap servers (this cannot be changed) where one is used for user authentication and the other provides information on automounts. The ldap server used for automounts only contains a subset of the users in the other ldap server as not all users are able to, or have the need to, log into our systems.
Disclaimer: I have no personal experience with multi-domain sssd config for distributed users/groups/sudoers/automap entries (except local and LDAP being used side-by-side).
But for forcing all user information to come from the [domain/authd] I'd try to set:
[domain/autofsd] [..] id_provider = none auth_provider = none [..]
Setting those options for the autofsd results in sssd failing to start. Looking through the logs nothing jumps out apart form these lines:
[sssd[be[autofsd]]] [be_process_init] (0x0010): fatal error initializing data providers [sssd[be[autofsd]]] [main] (0x0010): Could not initialize backend [2] [sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching. [sssd] [mt_svc_exit_handler] (0x0040): Child [autofsd] exited with code [3] [sssd] [mt_svc_exit_handler] (0x0010): Process [autofsd], definitely stopped!
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Based on what I know about SSSD it might currently assume that automount data and user data come from the same identity source and share same connection. But I would leave to SSSD gurus provide more details in the morning.
I guess we require id_provider to be != none. Sorry, then I lead you down the wrong path a bit on serverfault. The requirement might be a relic from the past where domains only served identity and authentication -- I guess it's time to change it, can you open a ticket?
Also can you try a config like this (again, untested): [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, autofs
domains = authd, autofsd
[nss] filter_groups = root filter_users = root
[pam]
[autofs]
[domain/autofsd] # The local database would be empty id_provider = local auth_provider = none ldap_id_use_start_tls = True cache_credentials = False # You can also set the ldap_search_base to a part of the tree that only serves autofs data ldap_search_base = dc=test,dc=example.com ldap_uri = ldap://ldap1.example.com/ ldap_tls_cacert = /etc/ssl/certs/example.pem autofs_provider = ldap ldap_autofs_search_base = dc=test,dc=example.com
[domain/authd] # This domain is unchanged