On 7/5/2017 3:40 AM, Sumit Bose wrote:
On Tue, Jul 04, 2017 at 04:39:35PM -0400, Tom wrote:
Is there a way in the sssd config to force the return of the user for only the main domain?
You can skip some domains completely, please have a look at the ad_enabled_domains option in 'man sssd-ad' for details.
The only way I can think of to ignore only specific users from a sub-domain is to use specific search filters for the sub-domain. Please see the 'TRUSTED DOMAIN SECTION' of man sssd.conf for details about how to configure a search filter for a sub-domain.
Maybe local overrides can be used here as well. You might want to try to set a different UID to the user from the sub-domain with the sss_override utility. But I haven't tried this, so chances are that this might still fail.
bye, Sumit
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers, Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK tk@mdevsys.com wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote: Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Could not find the first option in the help pages. My version therefore doesn't support it.
I tried to set subdomains_provider = none but this had no effect. This is not really surprising given that the AD team indicated that SUB.DOMAIN.COM was not really a subdomain of DOMAIN.COM but a totally separate domain in itself.
So now I'm wondering if SUB.DOMAIN.COM is not really a subdomain, what can I do to handle this case?
REF: subdomains_provider (string) The provider which should handle fetching of subdomains. This value should be always the same as id_provider. Supported subdomain providers are:
"ipa" to load a list of subdomains from an IPA server. See sssd-ipa(5) for more information on configuring IPA.
"ad" to load a list of subdomains from an Active Directory server. See sssd-ad(5) for more information on configuring the AD provider.
"none" disallows fetching subdomains explicitly.
Default: The value of "id_provider" is used if it is set.