We were noticing some strange problems in two node clustered (ctdb/samba) sssd, cases in which both nodes joined AD fine, but "getent passwd <username>" worked for only a subset of the remote AD users on one node, but worked fine on the other. The config seemed to be identical on the two nodes - didn't see any obvious problems with sssd configuration, but clearly the two nodes behave differently.
Are there instructions on setting up sssd in clustered environment (e.g. presumably similar to the clustered ctdb/samba/ceph or gluster that RHEL might ship)? or for the clustered case is it safer to simply use winbind?
And I did check the obvious - googling for "clustered sssd" or "sssd and ctdb" didn't come up with much useful in the last year (mostly a few threads that are out of date from 2 or 3 years ago).
On Fri, Jan 27, 2017 at 07:24:26PM -0000, smfrench@gmail.com wrote:
We were noticing some strange problems in two node clustered (ctdb/samba) sssd, cases in which both nodes joined AD fine, but "getent passwd <username>" worked for only a subset of the remote AD users on one node, but worked fine on the other. The config seemed to be identical on the two nodes - didn't see any obvious problems with sssd configuration, but clearly the two nodes behave differently.
It is hard to say without logs what might be the issue here, especially since you say that it works for a subset of users.
Are there instructions on setting up sssd in clustered environment (e.g. presumably similar to the clustered ctdb/samba/ceph or gluster that RHEL might ship)? or for the clustered case is it safer to simply use winbind?
SSSD's libwbclient was implemented to make simple some simple use cases possible, namely running a Samba file server in an FreeIPA domain. It can use used to run similar simple setup in an AD domain with a number of restrictions compared to winbind.
ctdb setups are so far not tested by me and I'm not aware of any other tests or setups either. There are afaik also some special areas where ctdb and winbind depend on each other. e.g. the shared hostkey in secrets.tbd. So, yes, I would it is safer to use winbind for the clustered case.
In the long run I think best to make sure winbind and SSSD can run together on the same system and use the same ID mapping e.g. with the help of SSSD idmap plugin for winbind. See e.g. the thread you started on samba-technical including Ralph's effort to bring the plugin to Samba upstream or my talk on last year's SambaXP https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Sumi...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org