On Thu, Aug 30, 2018 at 05:57:07AM -0400, Lawrence Kearney wrote:
> Hello again :-)
>
> After finding other directives that seemed to display the same behavior in
> my environment I parsed the logs more closely and it appears to me that the
> order of processing/logging directives is from the perspective of the
> joined domain first. In this case the child domain appears to take the
> configured directive and the parent is left at the default. Oddly, the
> parent domain is also referred to as a subdomain in the log.
>
> My setup again:
>
> parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com)
> child domain: lab.dvc.darkvixen.com (DC
> darkvixen164win.lab.dvc.darkvixen.com)
>
> The relevant log entries:
>
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_range_min has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_range_max has value 2000200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_range_size has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_helper_table_size has value 20
>
> [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400):
> Looking up domain controllers in domain lab.dvc.darkvixen.com and site
> DarkVixenCorp
> [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400):
> Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to
> service 'AD'
>
> [sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [
> dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]!
> [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400):
> subdomain dvc.darkvixen.com is a new one, will create a new sdap domain
> object
>
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_range_min has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_range_max has value 2000200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_range_size has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_helper_table_size has value 10
>
>
> [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400):
> Looking up domain controllers in domain dvc.darkvixen.com and site
> DarkVixenCorp
> [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400):
> Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to service '
> dvc.darkvixen.com'
>
> So, my questions now are:
>
> Do I understand this correctly?
I think yes. For SSSD to domain you are joined to is the most important
one, all others are sub-domains.
> Is the logging working as intended?
yes, but I agree it is a bit irritating. Although the imap options for
sub-domains are shown only the one of the joined domain is of
importance. All domains use the same id-mapping setting, the ones from
the joined domain. Otherwise it would be hard to avoid id collisions.
> Is there a way to expose the runtime configuration of the SSSD, including
> default configuration directive values (similar to /usr/sbin/sshd -T)?
Currently not, there is 'sssctl config-check' but this does not display
values or defaults. There is https://pagure.io/SSSD/sssd/issue/3157 to
show values from the config file. You might want to add a comment about
showing the default values for all other options as well or open a new
ticket for this.
bye,
Sumit
>
> Many thanks,
>
>
> -- lawrence
>
> On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney <hangarbait@gmail.com>
> wrote:
>
> >
> > Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified
> > "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set
> > at the parent domain instead of the child domain, which remains at the
> > default of 10 (the child domain is a not a domain tree).
> >
> > Forest: dvc.darkvixen.com
> > Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain)
> > Child domain: lab.dvc.darkvixen.com
> >
> > My understanding is that no "subdomain_provider" directive is needed for
> > this configuration, and the "subdomain_inherit" directive does not support
> > the inheritance of the "ldap_idmap_helper_table_size" directive.
> >
> > The sanitized sssd.conf:
> >
> > [sssd]
> > config_file_version = 2
> > services = nss,pam,pac
> > domains = lab.dvc.darkvixen.com
> >
> > [nss]
> > filter_users = root
> > filter_groups = root
> >
> > [pam]
> >
> > [pac]
> >
> > [domain/lab.dvc.darkvixen.com]
> > id_provider = ad
> > access_provider = ad
> >
> > enumerate = false
> > cache_credentials = true
> >
> > ldap_idmap_helper_table_size = 20
> >
> > ad_site = DarkVixenCorp
> > ad_hostname = darkvixen200.lab.dvc.darkvixen.com
> >
> > ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM:
> > (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
> >
> >
> > From the domain log:
> >
> > [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
> > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000):
> > Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636]
> > [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100):
> > Adding new ID mapping [dvc.darkvixen.com
> > ][S-1-5-21-623326418-92578587-4020003380][8636]
> >
> > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> > ldap_idmap_helper_table_size has value 10
> > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000):
> > Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675]
> > [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [
> > lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675]
> >
> > From the relevant DC:
> >
> > ~# Get-ADForest
> >
> > ApplicationPartitions :
> > {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com,
> > DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com,
> > DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com}
> > CrossForestReferences : {}
> > DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com
> > Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com}
> > ForestMode : Windows2012R2Forest
> > GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com,
> > DARKVIXEN164WIN.lab.dvc.darkvixen.com}
> > Name : dvc.darkvixen.com
> > PartitionsContainer :
> > CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com
> > RootDomain : dvc.darkvixen.com
> > SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com
> > Sites : {DarkVixenCorp}
> > SPNSuffixes : {}
> > UPNSuffixes : {}
> >
> >
> > Is this a bug fixed with later daemons or is there additional
> > configuration required ?
> >
> >
> > Many thanks,
> >
> >
> > -- lawrence
> >
> >
>
> --
> Lawrence Kearney
>
> e: lawrence.kearney@earthlink.net
> t: +001 706.951.6257
> w: www.lawrencekearney.com
> l: www.linkedin.com/in/lawrencekearney
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org