Thank you Sumit, that helps immensely.

I think adding such a feature would be very useful, so I'll open a new ticket if you remind me where to enter one.

I previously entered a ticket to have the PAM return codes used by the pam_sss module added to the man file for the module (as other modules do), but it has not appeared in any versions I've noticed yet. It would be most helpful for those of us that are incorporating MFA logic in our PAM stacks to explicitly know which return codes are implemented by the daemon.

... but, back to my original point, thank you :-) 


-- lawrence

On Thu, Aug 30, 2018 at 6:26 AM Sumit Bose <sbose@redhat.com> wrote:
On Thu, Aug 30, 2018 at 05:57:07AM -0400, Lawrence Kearney wrote:
> Hello again :-)
>
> After finding other directives that seemed to display the same behavior in
> my environment I parsed the logs more closely and it appears to me that the
> order of processing/logging directives is from the perspective of the
> joined domain first. In this case the child domain appears to take the
> configured directive and the parent is left at the default. Oddly, the
> parent domain is also referred to as a subdomain in the log.
>
> My setup again:
>
> parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com)
> child domain: lab.dvc.darkvixen.com (DC
> darkvixen164win.lab.dvc.darkvixen.com)
>
> The relevant log entries:
>
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_range_min has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_range_max has value 2000200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_range_size has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option
> ldap_idmap_helper_table_size has value 20
>
> [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400):
> Looking up domain controllers in domain lab.dvc.darkvixen.com and site
> DarkVixenCorp
> [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400):
> Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to
> service 'AD'
>
> [sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [
> dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]!
> [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400):
> subdomain dvc.darkvixen.com is a new one, will create a new sdap domain
> object
>
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_range_min has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_range_max has value 2000200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_range_size has value 200000
> [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> ldap_idmap_helper_table_size has value 10
>
>
> [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400):
> Looking up domain controllers in domain dvc.darkvixen.com and site
> DarkVixenCorp
> [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400):
> Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to service '
> dvc.darkvixen.com'
>
> So, my questions now are:
>
> Do I understand this correctly?

I think yes. For SSSD to domain you are joined to is the most important
one, all others are sub-domains.

> Is the logging working as intended?

yes, but I agree it is a bit irritating. Although the imap options for
sub-domains are shown only the one of the joined domain is of
importance. All domains use the same id-mapping setting, the ones from
the joined domain. Otherwise it would be hard to avoid id collisions.

> Is there a way to expose the runtime configuration of the SSSD, including
> default configuration directive values (similar to /usr/sbin/sshd -T)?

Currently not, there is 'sssctl config-check' but this does not display
values or defaults. There is https://pagure.io/SSSD/sssd/issue/3157 to
show values from the config file. You might want to add a comment about
showing the default values for all other options as well or open a new
ticket for this.

bye,
Sumit

>
> Many thanks,
>
>
> -- lawrence
>
> On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney <hangarbait@gmail.com>
> wrote:
>
> >
> > Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified
> > "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set
> > at the parent domain instead of the child domain, which remains at the
> > default of 10 (the child domain is a not a domain tree).
> >
> > Forest: dvc.darkvixen.com
> > Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain)
> > Child domain: lab.dvc.darkvixen.com
> >
> > My understanding is that no "subdomain_provider" directive is needed for
> > this configuration, and the "subdomain_inherit" directive does not support
> > the inheritance of the "ldap_idmap_helper_table_size" directive.
> >
> > The sanitized sssd.conf:
> >
> > [sssd]
> > config_file_version = 2
> > services = nss,pam,pac
> > domains = lab.dvc.darkvixen.com
> >
> > [nss]
> > filter_users = root
> > filter_groups = root
> >
> > [pam]
> >
> > [pac]
> >
> > [domain/lab.dvc.darkvixen.com]
> > id_provider = ad
> > access_provider = ad
> >
> > enumerate = false
> > cache_credentials = true
> >
> > ldap_idmap_helper_table_size = 20
> >
> > ad_site = DarkVixenCorp
> > ad_hostname = darkvixen200.lab.dvc.darkvixen.com
> >
> > ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM:
> > (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
> >
> >
> > From the domain log:
> >
> > [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
> > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000):
> > Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636]
> > [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100):
> > Adding new ID mapping [dvc.darkvixen.com
> > ][S-1-5-21-623326418-92578587-4020003380][8636]
> >
> > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
> > ldap_idmap_helper_table_size has value 10
> > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000):
> > Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675]
> > [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [
> > lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675]
> >
> > From the relevant DC:
> >
> > ~# Get-ADForest
> >
> > ApplicationPartitions :
> > {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com,
> >                         DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com,
> > DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com}
> > CrossForestReferences : {}
> > DomainNamingMaster    : DARKVIXEN161WIN.dvc.darkvixen.com
> > Domains               : {dvc.darkvixen.com, lab.dvc.darkvixen.com}
> > ForestMode            : Windows2012R2Forest
> > GlobalCatalogs        : {DARKVIXEN161WIN.dvc.darkvixen.com,
> > DARKVIXEN164WIN.lab.dvc.darkvixen.com}
> > Name                  : dvc.darkvixen.com
> > PartitionsContainer   :
> > CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com
> > RootDomain            : dvc.darkvixen.com
> > SchemaMaster          : DARKVIXEN161WIN.dvc.darkvixen.com
> > Sites                 : {DarkVixenCorp}
> > SPNSuffixes           : {}
> > UPNSuffixes           : {}
> >
> >
> > Is this a bug fixed with later daemons or is there additional
> > configuration required ?
> >
> >
> > Many thanks,
> >
> >
> > -- lawrence
> >
> >
>
> --
> Lawrence Kearney
>
> e: lawrence.kearney@earthlink.net
> t: +001 706.951.6257
> w: www.lawrencekearney.com­­­
> l: www.linkedin.com/in/lawrencekearney

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org


--