On (13/11/14 16:31), Sergey Urushkin wrote:
Hello!
While writing you mail I discovered that kerberos principal used by sssd
(NIX$) doesn't have permissions for some ldap-attributes (all problem
accounts had special AD (ldap) permissions). After reseting permissions in
ADUC, the problem disappears.
It seems, sssd makes more strict account checking than winbind (which works
fine in the same situation). May be it's too strict for discovering group
membership. Or you're considering this normal?
Attributes which were not readable before reseting permissions:
accountExpires:
badPasswordTime:
badPwdCount:
homeDirectory:
homeDrive:
instanceType:
lastLogoff:
lastLogon:
logonCount:
logonHours:
msSFU30NisDomain:
pwdLastSet:
scriptPath:
userAccountControl:
uSNChanged:
uSNCreated:
whenChanged:
whenCreated:
I reduced attributes to the next set:
accountExpires
userAccountControl
uSNChanged
whenChanged
homeDirectory //should not be used with AD provider.
Other attributes are not used by sssd.
LS