On Thu, Aug 8, 2019 at 2:05 PM Sumit Bose <sbose(a)redhat.com>
> On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote:
> > Hi All,
> > I'm working in a proof of concept for a customer where I've been asked
> > join the child domain of a Microsoft Active Directory domain,
> > child.example.com
. Users will primarily exist in the parent,
> > but some users will also exist in the child. The application requires
> > all users have a specific primary GID, 1100, which is defined in
> > and I'm attempting to apply via override_gid.
> > User authentication via either the child or parent is successful,
> > the override_gid is only applied to users of the child, @
> > and NOT for users of the parent, @example.com.
> > I saw what looked to be a similar post to this list from Sep 2018. It
> > suggested this may be a bug. I didn't see a follow-up/resolution to that
> > thread. Is this issue being tracked or has it been resolved?
> in contrast to other options the override_gid options is not
> automatically inherited to sub-domains (from the SSSD point of view). I
> think this is better than the other way round because the given GID
> might make sense in one domain but not in the other.
> The version of SSSD you are using allows to set options for sub-domains
> individually. Please try to add:
> override_gid = 1100
> to sssd.conf. This works for many options but I have not tested
> override_gid yet. Sp please let me know if this works or not.
Thanks for the suggestion, unfortunately, I have tried to define an
override_gid that's in a specific domain declaration as your above example,
but it does not appear to have an impact.
I tested scenarios where I had a host joined directly to the parent, but
override_gid was not applied for the child. Likewise, I tested a scenario
where my host is joined directly to the child, but override_gid is not
applied for the parent.
The override_gid seems to only be applied for users that are specifically
authenticated against the directly joined domain and not applied for any
trusted domains. And additional [domain] declarations containing
override_gid do not appear to be applied.
Yes, unfortunately code-wise we have two way of reading configuration
option, one where the option is directly read from the domain's
configuration database for a domain and then another one mostly used
for provider-specific options (think ad_server, ldap_uri, ...). Only the
latter group of options is inherited unfortunately.