On Wed, May 6, 2015 at 1:47 AM, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
On (06/05/15 01:12), James Ralston wrote:
> enumerate = true
I Hope it was just for testing purposes. We do not recommend to
I know it's not recommended. I'll address this in a separate
> ldap_id_mapping = true
You can remove this line, id-mapping is enabled by default for
> ldap_sasl_mech = GSSAPI
> ldap_schema = AD
Previous 2 lines are efault for id_provider ad as well
I know. (I added those lines more for illustration purposes than
> offline_failed_login_attempts = 3
This line shoudl be in [pam] section, it will have effect only if
"cache_credentials" is enabled in domain section.
Ah; good to know. I will correct that. Thanks.
I would be curious where did you inspire in sssd.conf. So we can
I created it myself. So, blame me. ;-)
Distributions grups are filtered by default.
"Distribution groups are not security-enabled, which means that
they cannot be listed in discretionary access control lists
(DACLs). If you need a group for controlling access to shared
resources, create a security group."
A suggestion: it would have been very helpful if the debug messages
had contained some statement like "ignoring distribution group
That would have made it much more clear what was happening, which (as
I understand it) was:
1. sssd was ignoring a distribution group. (This is normal,
2. sssd was trying to cache the distribution group, but failing
due to ticket/2588. (This is bug, not normal behavior.)
> (Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
> [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or
> value exists]
here is a problem
It is very likely upstream bug with binary objectGUID
OK, thanks for the explanation and the pointer.
For testing purposes you can try to use pre-release of upstream
1.12.5 it should be released within few days and it contains fix for
bug and also other fixes.
What do you recommend doing for RHEL6 (currently on
1. Use your 1.12.5 packages on RHEL6?
2. Wait for Red Hat to backport the patch for ticket/2588 to
their 1.11.6 branch?
3. Wait for Red Hat to rebase RHEL6 to 1.12.5?
4. Backport the patch for ticket/2588 to 1.11.6-30.el6_6.4
5. Something else?