Dmitri Pal <dpal <at> redhat.com> writes:
The SSSD expectation is that identity data is domain consistent meaning that users from domain A are members of groups in domain A and users in domain B are members of domain B. There is no overlap.
Thanks for the quick reply.
But, something still doesn't make sense to me. Domain A is first in the list, and returns a gidNumber of 10106 for my account. Domain A has no group with that gid. It then searched domain B for the group, and finds it. If the domains were to be treated as independent with no overlap, this should not happen, right?
This is what suggested to me that both domains would be searched. It's using information from domain B to fill in gaps in information from domain A.
Is there a pure sss way of using the union of the information from the two domains? Or, is there a way to specify a domain for sss to use for groups in the nsswitch.conf file?
Also AFAIR you can't configure two connections from within one domain. What you can do is for groups use sss ldap or may be even just ldap in nsswitch.conf and use SSSD for users and configure nss_ldap for groups. I am not sure whether that would work but it is worth a try.
I'll have a go with nss_ldap, but I would much prefer a pure sss configuration.
Thanks again for your help.
_______________________________________________
sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users