In a scenario in which an sssd node joined to Active Directory crashed and had to be rebuilt, restoring key files from backup, other than the obvious files in /etc (for krb5, sssd, nss etc.) are there other sssd/krb5 persistent databases (/var/lib/sss/db ?) that would have to be restored (ctdb already handles Samba related databases like secrets.tdb) in order to recover a system after failure.
What sssd files (if any) other than those in /etc directory would be required to restore a system that is joined to an AD domain after failure?
On Thu, Feb 02, 2017 at 03:56:22PM -0000, smfrench@gmail.com wrote:
In a scenario in which an sssd node joined to Active Directory crashed and had to be rebuilt, restoring key files from backup, other than the obvious files in /etc (for krb5, sssd, nss etc.) are there other sssd/krb5 persistent databases (/var/lib/sss/db ?) that would have to be restored (ctdb already handles Samba related databases like secrets.tdb) in order to recover a system after failure.
What sssd files (if any) other than those in /etc directory would be required to restore a system that is joined to an AD domain after failure?
/var/lib/sss/db is you use client-side overrides (defined with the sss_override tool) or if it is expected users should be able to log in offline since the cache also stores password.
/var/lib/sss/secrets if you store secrets in sssd (see man sssd-secrets)
Unless you use any of the two, then I think restoring the keytab and the config files would be OK. On the other hand, there is nothing wrong with restoring the caches as well and might save you troubles later should you decide to use either offline auth or overrides.
sssd-users@lists.fedorahosted.org