On 3/18/15, 3:55 AM, "Sumit Bose" <[email protected]> wrote:
>On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote: >> On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote: >> > On Tue, 17 Mar 2015, Gould, Joshua wrote: >> >> > >/etc/sssd/sssd.conf: >> > >[domain/test.osuwmc] >> > >ldap_idmap_range_min = 100000 >> > >ldap_idmap_range_size = 900000 >> > There is something completely broken here. >> >> Yes, the sssd.conf configuration :-) >> >> SSSD will not even read this sssd.conf section, it is just ignored. The >> subdomains are mostly auto-configured, just with several exceptions >> (like subdomain_homedir) where we read the subdomain config from the >> main domain config. >> >> > You *shouldn't* need to add a >> > separate domain section for any of the domains coming over the forest >> > trust link path _at_all_. SSSD automatically derives all needed >> > parameters for them via its IPA providers for the primary IPA domain. >> > >> > Jakub, what is going on? >> >> I would prefer if also Sumit can add his opinon since he authored the ID >> mapping code. > >as Alexander said in the other thread, only the IPA domain should be >configured if you want to use IPA and trust. AD domains will be >discovered and ranges will be configured on the IPA server side and IPA >clients will get all information about trusted AD domains from the IPA >server. > >So, please remove the section for the AD completely from sssd.conf. I¹ll be happy to remove the AD section from the sssd.conf file and test but I think there¹s more going on. The AD section was generated from the IPA client install. I never manually added anything other than ³pac² to the services line under the [sssd] section and the two ldap_idmap_range options. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
