It seems that auth_provider cannot be none when using local as the id_provider.

[sssd] [confdb_get_domain_internal] (0x0010): Local ID provider does not support [none] as an AUTH provider.
[sssd] [confdb_get_domains] (0x0010): Error (22 [Invalid argument]) retrieving domain [autofsd], skipping!


On Thu, 26 Mar, 2015 at 9:18 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Wed, Mar 25, 2015 at 07:46:31PM -0400, Dmitri Pal wrote:
On 03/25/2015 05:13 PM, Matt John wrote: >>On 25 Mar 2015, at 20:53, Michael Ströder <michael@stroeder.com> wrote: >> >>Matt John wrote: >>>We currently have two ldap servers (this cannot be changed) where one is >>>used for user authentication and the other provides information on >>>automounts. The ldap server used for automounts only contains a subset of >>>the users in the other ldap server as not all users are able to, or have >>>the need to, log into our systems. >>Disclaimer: I have no personal experience with multi-domain sssd config for distributed users/groups/sudoers/automap entries (except local and LDAP being used side-by-side). >> >>But for forcing all user information to come from the [domain/authd] I'd try to set: >> >>[domain/autofsd] >>[..] >>id_provider = none >>auth_provider = none >>[..] >Setting those options for the autofsd results in sssd failing to start. Looking through the logs nothing jumps out apart form these lines: > >[sssd[be[autofsd]]] [be_process_init] (0x0010): fatal error initializing data providers >[sssd[be[autofsd]]] [main] (0x0010): Could not initialize backend [2] >[sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching. >[sssd] [mt_svc_exit_handler] (0x0040): Child [autofsd] exited with code [3] >[sssd] [mt_svc_exit_handler] (0x0010): Process [autofsd], definitely stopped! > >_______________________________________________ >sssd-users mailing list >sssd-users@lists.fedorahosted.org >https://lists.fedorahosted.org/mailman/listinfo/sssd-users Based on what I know about SSSD it might currently assume that automount data and user data come from the same identity source and share same connection. But I would leave to SSSD gurus provide more details in the morning.
I guess we require id_provider to be != none. Sorry, then I lead you down the wrong path a bit on serverfault. The requirement might be a relic from the past where domains only served identity and authentication -- I guess it's time to change it, can you open a ticket? Also can you try a config like this (again, untested): [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, autofs domains = authd, autofsd [nss] filter_groups = root filter_users = root [pam] [autofs] [domain/autofsd] # The local database would be empty id_provider = local auth_provider = none ldap_id_use_start_tls = True cache_credentials = False # You can also set the ldap_search_base to a part of the tree that only serves autofs data ldap_search_base = dc=test,dc=example.com ldap_uri = ldap://ldap1.example.com/ ldap_tls_cacert = /etc/ssl/certs/example.pem autofs_provider = ldap ldap_autofs_search_base = dc=test,dc=example.com [domain/authd] # This domain is unchanged _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users