Hi!
I am using the AD provider to connect to a domain which is a member of a forest.
Unfortunately the forest root is not reachable due to firewall rules which I cannot control. To prevent forest lookup timeouts, I followed the advice in the troubleshooting HOWTO and set "subdomains_provider=none". Besides I had to explicitly specify an ad_server.
However, as soon as I add "subdomains_provider=none", sssd doesn't know the SID of the configured domain anymore. Lookups return "Domain not found for SID <owndomainsid>"
Do you have any hints?
I am using sssd-1.13.1. Logs and config can be found at http://leo.kloburg.at/tmp/sssd-subdomains_provider/
Thanks in advance, --leo
On Thu, Oct 22, 2015 at 11:15:26AM +0200, Alexander 'Leo' Bergolth wrote:
Hi!
I am using the AD provider to connect to a domain which is a member of a forest.
Unfortunately the forest root is not reachable due to firewall rules which I cannot control. To prevent forest lookup timeouts, I followed the advice in the troubleshooting HOWTO and set "subdomains_provider=none". Besides I had to explicitly specify an ad_server.
However, as soon as I add "subdomains_provider=none", sssd doesn't know the SID of the configured domain anymore. Lookups return "Domain not found for SID <owndomainsid>"
Do you have any hints?
This is a known issue: https://fedorahosted.org/sssd/ticket/2828
For now you can set the domain SID manually with ldap_idmap_default_domain_sid.
I am using sssd-1.13.1.
Well, with this version, is there a reason to disable the subdomains? Since we fixed https://fedorahosted.org/sssd/ticket/2637 this shouldn't be required anymore..
Logs and config can be found at http://leo.kloburg.at/tmp/sssd-subdomains_provider/
I see some server timeouts with the default logs..but are these really fatal? It seems that id -G still works, right?
On 10/22/2015 01:10 PM, Jakub Hrozek wrote:
On Thu, Oct 22, 2015 at 11:15:26AM +0200, Alexander 'Leo' Bergolth wrote:
However, as soon as I add "subdomains_provider=none", sssd doesn't know the SID of the configured domain anymore. Lookups return "Domain not found for SID <owndomainsid>"
This is a known issue: https://fedorahosted.org/sssd/ticket/2828
For now you can set the domain SID manually with ldap_idmap_default_domain_sid.
I am already using ldap_idmap_default_domain_sid but that doesn't seem to be sufficient. http://leo.kloburg.at/tmp/sssd-subdomains_provider/sssd.conf
I am using sssd-1.13.1.
Well, with this version, is there a reason to disable the subdomains? Since we fixed https://fedorahosted.org/sssd/ticket/2637 this shouldn't be required anymore..
Logs and config can be found at http://leo.kloburg.at/tmp/sssd-subdomains_provider/
I see some server timeouts with the default logs..but are these really fatal? It seems that id -G still works, right?
I agree, they are not fatal. I'll continue without subdomains_provider=none.
Thanks for your help!
Cheers, --leo
sssd-users@lists.fedorahosted.org
-
Alexander 'Leo' Bergolth -
Jakub Hrozek