There are settings in the sssd.conf file that aren't in the ldbsearch output or that have the wrong values in the output:
[root@host ~]# cat /etc/sssd/sssd.conf
[domain/domain.com]
access_provider = simple
ad_domain = domain.com
ad_hostname = host.domain.com
cache_credentials = true
debug_level = 6
default_shell = /bin/bash
dyndns_update = false
fallback_homedir = /home/%u
id_provider = ad
krb5_realm = DOMAIN.COM http://domain.com/
krb5_store_password_if_offline = true
ldap_id_mapping = true
realmd_tags = manages-system joined-with-adcli
simple_allow_groups = Group1
use_fully_qualified_names = false
[sssd]
config_file_version = 2
domains = domain.com
override_space = _
services = nss,pam
[root@host ~]# ldbsearch -H /var/lib/sss/db/config.ldb
server_sort:Unable to register control with rootdse!
# record 1
dn: cn=sssd,cn=config
cn: sssd
config_file_version: 2
domains: domain.com
services: nss, pam
distinguishedName: cn=sssd,cn=config
# record 2
dn: cn=config
version: 2
lastUpdate: 1459260529
distinguishedName: cn=config
# record 3
dn: cn=domain.com,cn=domain,cn=config
access_provider: ad
ad_domain: domain.com
cache_credentials: True
cn: domain.com
default_shell: /bin/bash
fallback_homedir: /home/%u@%d
id_provider: ad
krb5_realm: DOMAIN.COM http://domain.com/
krb5_store_password_if_offline: True
ldap_id_mapping: True
realmd_tags: manages-system joined-with-adcli
use_fully_qualified_names: True
case_sensitive: false
distinguishedName: cn=domain.com,cn=domain,cn=config
# returned 3 records
# 3 entries
# 0 referrals
On Tue, Mar 29, 2016 at 10:23 AM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (29/03/16 09:52), Chadwick Banning wrote:
I just finally got a pristine test case for doing this and here are the results:
[root@host ~]# ls -l /etc/sssd/sssd.conf
-rw------- 1 root root 559 Mar 29 09:29 /etc/sssd/sssd.conf
[root@host ~]# ls -l /var/lib/sss/db/config.ldb
-rw------- 1 root root 1286144 Mar 29 09:29 /var/lib/sss/db/config.ldb
[root@host ~]# ls --time-style='+%d-%m-%Y %H:%M:%S' -l
/etc/sssd/sssd.conf
-rw------- 1 root root 559 29-03-2016 09:29:58 /etc/sssd/sssd.conf
[root@host ~]# ls --time-style='+%d-%m-%Y %H:%M:%S' -l /var/lib/sss/db/config.ldb
-rw------- 1 root root 1286144 29-03-2016 09:29:59 /var/lib/sss/db/config.ldb
These times make sense as the sssd.conf file was put into place and then the service restarted and the config.ldb built. From /var/log/messages:
Mar 29 09:29:58 localhost puppet-agent[2865]: (/Stage[main]/Realmd::Sssd:: Config/File[/etc/sssd/sssd.conf]/content) content changed '{md5} 4b5234cb037adcfb49887c0616773efb' to
'{md5}30e2784e49079c59193eeeae21d48c65'
Mar 29 09:29:58 localhost puppet-agent[2865]:
(Class[Realmd::Sssd::Config])
Scheduling refresh of Class[Realmd::Sssd::Service]
Mar 29 09:29:58 localhost puppet-agent[2865]: (Class[Realmd::Sssd::Service]) Scheduling refresh of Service[sssd]
Mar 29 09:29:58 localhost systemd: Stopping System Security Services Daemon...
Mar 29 09:29:58 localhost sssd[nss]: Shutting down
Mar 29 09:29:58 localhost sssd[be[domain.com]]: Shutting down
Mar 29 09:29:58 localhost sssd[pam]: Shutting down
Mar 29 09:29:58 localhost systemd: Starting System Security Services Daemon...
Mar 29 09:29:58 localhost sssd: Starting up
Mar 29 09:29:58 localhost sssd[be[domain.com]]: Starting up
Mar 29 09:29:59 localhost sssd[nss]: Starting up
Mar 29 09:29:59 localhost sssd[pam]: Starting up
Mar 29 09:29:59 localhost systemd: Started System Security Services
Daemon.
At the point of restart shouldn't it have seen the updated time on sssd.conf and rebuilt config.ldb?
It should and according to timestamps it was done.
If you think it was not done then could you provide latest sssd.conf and output of following command? ldbsearch -H /var/lib/sss/db/config.ldb ^^^^^^^^^ This utility is part of package ldb-tools
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org