It seems that auth_provider cannot be none when using local as the id_provider.
[sssd] [confdb_get_domain_internal] (0x0010): Local ID provider does not support [none] as an AUTH provider. [sssd] [confdb_get_domains] (0x0010): Error (22 [Invalid argument]) retrieving domain [autofsd], skipping!
On Thu, 26 Mar, 2015 at 9:18 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Mar 25, 2015 at 07:46:31PM -0400, Dmitri Pal wrote:
On 03/25/2015 05:13 PM, Matt John wrote:
On 25 Mar 2015, at 20:53, Michael Ströder michael@stroeder.com
wrote:
Matt John wrote:
We currently have two ldap servers (this cannot be changed)
where one is
used for user authentication and the other provides information
on
automounts. The ldap server used for automounts only contains a
subset of
the users in the other ldap server as not all users are able to,
or have
the need to, log into our systems.
Disclaimer: I have no personal experience with multi-domain sssd
config for distributed users/groups/sudoers/automap entries (except local and LDAP being used side-by-side).
But for forcing all user information to come from the
[domain/authd] I'd try to set:
[domain/autofsd] [..] id_provider = none auth_provider = none [..]
Setting those options for the autofsd results in sssd failing to
start. Looking through the logs nothing jumps out apart form these lines:
[sssd[be[autofsd]]] [be_process_init] (0x0010): fatal error
initializing data providers
[sssd[be[autofsd]]] [main] (0x0010): Could not initialize backend
[2]
[sssd] [sbus_dispatch] (0x0080): Connection is not open for
dispatching.
[sssd] [mt_svc_exit_handler] (0x0040): Child [autofsd] exited with
code [3]
[sssd] [mt_svc_exit_handler] (0x0010): Process [autofsd],
definitely stopped!
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Based on what I know about SSSD it might currently assume that automount data and user data come from the same identity source and share same connection. But I would leave to SSSD gurus provide more details in the morning.
I guess we require id_provider to be != none. Sorry, then I lead you down the wrong path a bit on serverfault. The requirement might be a relic from the past where domains only served identity and authentication -- I guess it's time to change it, can you open a ticket?
Also can you try a config like this (again, untested): [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, autofs
domains = authd, autofsd
[nss] filter_groups = root filter_users = root
[pam]
[autofs]
[domain/autofsd] # The local database would be empty id_provider = local auth_provider = none ldap_id_use_start_tls = True cache_credentials = False # You can also set the ldap_search_base to a part of the tree that only serves autofs data ldap_search_base = dc=test,dc=example.com ldap_uri = ldap://ldap1.example.com/ ldap_tls_cacert = /etc/ssl/certs/example.pem autofs_provider = ldap ldap_autofs_search_base = dc=test,dc=example.com
[domain/authd] # This domain is unchanged _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users