sssd personnel,

When a Linux SE fat-fingers the domain name when doing a 'realm permit' or 'realm permit -g', it locks all permitted users and groups.

Even worse, it's not usually obvious from looking at the 'simple_allow_users' and 'simple_allow_groups' lines which entry is the culprit.

Here's an example:

simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, bladelogic_linux_users@amer.company.com, iasnprod@amer.company.com, unv_dba_login@amer.company.com, engit-ebpa@amer.company.com

simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amr.company.com, svc_prdesquadscounix@apac.company.com, admmmikolaj@amer.company.com

The offending entry is 'service_ome_linux@amr.company.com'. The Linux SE fat-fingered that user when doing a realm permit. Since sssd treats this as an unknown domain (to sssd), it locks all permitted users and groups.

I've tried to submit this to my OS vendor as a bug, but they claim it's a 'feature'. Ok, but it would be nice to have a configuration option to ignore permitted users and groups from unknown realms -- to not lock all existing permitted users and groups.

Spike