On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote:
Hi All,
I'm working in a proof of concept for a customer where I've been asked to
join the child domain of a Microsoft Active Directory domain,
child.example.com. Users will primarily exist in the parent,
example.com,
but some users will also exist in the child. The application requires that
all users have a specific primary GID, 1100, which is defined in /etc/group
and I'm attempting to apply via override_gid.
User authentication via either the child or parent is successful, however,
the override_gid is only applied to users of the child, @child.example.com
and NOT for users of the parent, @example.com.
I saw what looked to be a similar post to this list from Sep 2018. It was
suggested this may be a bug. I didn't see a follow-up/resolution to that
thread. Is this issue being tracked or has it been resolved?
Hi,
in contrast to other options the override_gid options is not
automatically inherited to sub-domains (from the SSSD point of view). I
think this is better than the other way round because the given GID
might make sense in one domain but not in the other.
The version of SSSD you are using allows to set options for sub-domains
individually. Please try to add:
[
domain/child.example.com/example.com]
override_gid = 1100
to sssd.conf. This works for many options but I have not tested
override_gid yet. Sp please let me know if this works or not.
HTH
bye,
Sumit
Below is my sssd.conf:
[root@linux2 sssd]# cat sssd.conf
[sssd]
domains =
child.example.com
config_file_version = 2
services = nss, pam
default_domain_suffix =
EXAMPLE.COM
[
domain/child.example.com]
ad_domain =
child.example.com
krb5_realm =
CHILD.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_access_filter =
FOREST:example.com:
(memberOf:1.2.840.113556.1.4.1941:=CN=LinuxUsers,ou=Groups,dc=child,dc=example,dc=com)
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
override_gid = 1100
CentOS Version:
[root@linux2 sssd]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
SSSD Component Versions:
[root@linux2 sssd]# rpm -qa |grep sssd
sssd-common-pac-1.16.2-13.el7_6.8.x86_64
sssd-ldap-1.16.2-13.el7_6.8.x86_64
python-sssdconfig-1.16.2-13.el7_6.8.noarch
sssd-client-1.16.2-13.el7_6.8.x86_64
sssd-krb5-common-1.16.2-13.el7_6.8.x86_64
sssd-ipa-1.16.2-13.el7_6.8.x86_64
sssd-krb5-1.16.2-13.el7_6.8.x86_64
sssd-dbus-1.16.2-13.el7_6.8.x86_64
sssd-proxy-1.16.2-13.el7_6.8.x86_64
sssd-tools-1.16.2-13.el7_6.8.x86_64
sssd-common-1.16.2-13.el7_6.8.x86_64
sssd-ad-1.16.2-13.el7_6.8.x86_64
sssd-1.16.2-13.el7_6.8.x86_64
Thanks,
-Josh
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...