Hi,
we are currently running a Samba AD DC Server with sssd on clients. Now we want to run sssd also on our mail server with postfix + dovecot. Postfix and dovecot get their users from NSS i.e. from sssd. In our Domain there are several disabled users (via User Account Control Bit). Any of these users are listed in NSS.
Unfortunately, they can receive emails, because they are existing in the user database of NSS. But they cannot login to read mails or even answer.
We would like to filter out disables users from NSS s.t. postfix will not accept emails for disabled users.
We searched in man 5 sssd-ad but did not find a config option for this use case.
Do you have any idea what we could do to achieve the desired behaviour?
Thanks a lot.
Best regards Rikus
On Sun, Jul 21, 2019 at 06:08:18PM +0200, Hinrikus Wolf wrote:
Hi,
we are currently running a Samba AD DC Server with sssd on clients. Now we want to run sssd also on our mail server with postfix + dovecot. Postfix and dovecot get their users from NSS i.e. from sssd. In our Domain there are several disabled users (via User Account Control Bit). Any of these users are listed in NSS.
Unfortunately, they can receive emails, because they are existing in the user database of NSS. But they cannot login to read mails or even answer.
We would like to filter out disables users from NSS s.t. postfix will not accept emails for disabled users.
We searched in man 5 sssd-ad but did not find a config option for this use case.
Do you have any idea what we could do to achieve the desired behaviour?
See man sssd-ldap, you can add any of the ldap_* options to id_provider=ad as well, including the ldap_search_base which in turn can include the UAC.
I don't have a ready example with the needed UAC value, though.
Hi,
that's actually what we tried:
[sssd] domains = fsmpi.rwth-aachen.de config_file_version = 2 services = nss, pam
[pam] offline_credentials_expiration = 1 offline_failed_login_attempts = 3 offline_failed_login_delay = 0
[domain/fsmpi.rwth-aachen.de] ad_domain = fsmpi.rwth-aachen.de krb5_realm = FSMPI.RWTH-AACHEN.DE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad enumerate = true ldap_user_fullname = displayName krb5_lifetime = 48h krb5_renewable_lifetime = 200h krb5_renew_interval = 30m ad_gpo_access_control = disabled ad_enable_gc = false ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Do you know what we did wrong?
Best regards Rikus
On Wed, Sep 11, 2019 at 09:04:40PM +0200, Hinrikus Wolf wrote:
Hi,
that's actually what we tried:
[sssd] domains = fsmpi.rwth-aachen.de config_file_version = 2 services = nss, pam
[pam] offline_credentials_expiration = 1 offline_failed_login_attempts = 3 offline_failed_login_delay = 0
[domain/fsmpi.rwth-aachen.de] ad_domain = fsmpi.rwth-aachen.de krb5_realm = FSMPI.RWTH-AACHEN.DE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad enumerate = true ldap_user_fullname = displayName krb5_lifetime = 48h krb5_renewable_lifetime = 200h krb5_renew_interval = 30m ad_gpo_access_control = disabled ad_enable_gc = false ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Do you know what we did wrong?
Not really, did you try running ldapsearch using this filter?
On Wed, Sep 11, 2019 at 3:05 PM Hinrikus Wolf hinrikus@fsmpi.rwth-aachen.de wrote:
ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Putting an (objectClass=user) filter in ldap_search_base will exclude all groups, as ldap_search_base is used for both user and group queries.
A modified version of your filter works just fine for us:
ldap_search_base = dc=example,dc=org?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This successfully excludes computer objects and terminated objects.
As Jakub said, you can use ldapsearch to test your filter. E.g.:
$ ldapsearch \ -z 0 \ -E pr=2147483647/noprompt \ -o ldif-wrap=no \ -L \ -L \ -H 'ldap:///dc%3Dexample%2Cdc%3Dorg' \ -Y GSSAPI \ -b "dc=example,dc=org" \ "(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" \ dn
Hi,
thanks for your answer.
I have implemented the ldap_saerch_base. But the disabled users are still listed in
getent passwd
That means they are present for PAM.
Any other ideas?
Best regards Rikus
James Ralston ralston@pobox.com hat am 12. September 2019 00:08 geschrieben:
On Wed, Sep 11, 2019 at 3:05 PM Hinrikus Wolf hinrikus@fsmpi.rwth-aachen.de wrote:
ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Putting an (objectClass=user) filter in ldap_search_base will exclude all groups, as ldap_search_base is used for both user and group queries.
A modified version of your filter works just fine for us:
ldap_search_base = dc=example,dc=org?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This successfully excludes computer objects and terminated objects.
As Jakub said, you can use ldapsearch to test your filter. E.g.:
$ ldapsearch \ -z 0 \ -E pr=2147483647/noprompt \ -o ldif-wrap=no \ -L \ -L \ -H 'ldap:///dc%3Dexample%2Cdc%3Dorg' \ -Y GSSAPI \ -b "dc=example,dc=org" \ "(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" \ dn _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On (12/09/19 18:49), Hinrikus Wolf wrote:
Hi,
thanks for your answer.
I have implemented the ldap_saerch_base. But the disabled users are still listed in
getent passwd
That means they are present for PAM.
Any other ideas?
man sssd-ad says: NOTES The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider:
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad
However, unless the “ad” access control provider is explicitly configured, the default access provider is “permit”. Please note that if you configure an access provider other than “ad”, you need to set all the connection parameters (such as LDAP URIs and encryption details) manually.
So using *access_provider = ad* should be enough for blocking expired/disabled users. Even without modification of ldap_search_base
LS
Hi,
On 12.09.19 21:30, Lukas Slebodnik wrote:
man sssd-ad says: NOTES The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider:
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad However, unless the “ad” access control provider is explicitly configured, the default access provider is “permit”. Please note that if you configure an access provider other than “ad”, you need to set all the connection parameters (such as LDAP URIs and encryption details) manually.So using *access_provider = ad* should be enough for blocking expired/disabled users. Even without modification of ldap_search_base
Thanks. This is not our issue. The issue is that disabled users are present for PAM, and so postfix accept emails from disabled users.
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Sat, Sep 14, 2019 at 11:57:09AM +0200, Hinrikus Wolf wrote:
Hi,
On 12.09.19 21:30, Lukas Slebodnik wrote:
man sssd-ad says: NOTES The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider:
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad However, unless the “ad” access control provider is explicitly configured, the default access provider is “permit”. Please note that if you configure an access provider other than “ad”, you need to set all the connection parameters (such as LDAP URIs and encryption details) manually.So using *access_provider = ad* should be enough for blocking expired/disabled users. Even without modification of ldap_search_base
Thanks. This is not our issue. The issue is that disabled users are present for PAM, and so postfix accept emails from disabled users.
Hi,
I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'?
I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly.
bye, Sumit
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Hinrikus Wolf
Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen
Telefon: Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 fs@fsmpi.rwth-aachen.de https://www.fsmpi.rwth-aachen.de _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
Sumit Bose sbose@redhat.com hat am 16. September 2019 08:23 geschrieben: Hi,
I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'?
Yes, that's what I mean.
I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly.
The filter works. I just in case tried it again with ldapsearch but we are using this filter for several applications which are supporting ldap.
Best regads Rikus
bye, Sumit
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Hinrikus Wolf
Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen
Telefon: Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 fs@fsmpi.rwth-aachen.de https://www.fsmpi.rwth-aachen.de _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Mon, Sep 16, 2019 at 10:37:11AM +0200, Hinrikus Wolf wrote:
Hi,
Sumit Bose sbose@redhat.com hat am 16. September 2019 08:23 geschrieben: Hi,
I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'?
Yes, that's what I mean.
I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly.
The filter works. I just in case tried it again with ldapsearch but we are using this filter for several applications which are supporting ldap.
Hi,
I tried the ldap_search_base you've sent earlier (adopted to my setup) and it worked as expected, i.e. disabled users are not shown.
Can you share your complete sssd.conf (sanitized if needed) and if possible the sssd_nss.log and the domain log both with debug_level=9?
bye, Sumit
Best regads Rikus
bye, Sumit
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Hinrikus Wolf
Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen
Telefon: Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 fs@fsmpi.rwth-aachen.de https://www.fsmpi.rwth-aachen.de _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
this is our sssd.conf
[sssd] domains = fsmpi.rwth-aachen.de config_file_version = 2 services = nss, pam
[pam] offline_credentials_expiration = 1 offline_failed_login_attempts = 3 offline_failed_login_delay = 0
[domain/fsmpi.rwth-aachen.de] ad_domain = fsmpi.rwth-aachen.de krb5_realm = FSMPI.RWTH-AACHEN.DE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad enumerate = true ldap_user_fullname = displayName krb5_lifetime = 48h krb5_renewable_lifetime = 200h krb5_renew_interval = 30m ad_gpo_access_control = disabled ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
in sssd_nss.log
(Wed Sep 18 14:40:38 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Wed Sep 18 14:41:08 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Wed Sep 18 14:41:38 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Best regards Rikus
Sumit Bose sbose@redhat.com hat am 16. September 2019 18:01 geschrieben:
On Mon, Sep 16, 2019 at 10:37:11AM +0200, Hinrikus Wolf wrote:
Hi,
Sumit Bose sbose@redhat.com hat am 16. September 2019 08:23 geschrieben: Hi,
I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'?
Yes, that's what I mean.
I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly.
The filter works. I just in case tried it again with ldapsearch but we are using this filter for several applications which are supporting ldap.
Hi,
I tried the ldap_search_base you've sent earlier (adopted to my setup) and it worked as expected, i.e. disabled users are not shown.
Can you share your complete sssd.conf (sanitized if needed) and if possible the sssd_nss.log and the domain log both with debug_level=9?
bye, Sumit
Best regads Rikus
bye, Sumit
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Hinrikus Wolf
Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen
Telefon: Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 fs@fsmpi.rwth-aachen.de https://www.fsmpi.rwth-aachen.de _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Sep 18, 2019 at 04:43:18PM +0200, Hinrikus Wolf wrote:
Hi,
this is our sssd.conf
[sssd] domains = fsmpi.rwth-aachen.de config_file_version = 2 services = nss, pam
[pam] offline_credentials_expiration = 1 offline_failed_login_attempts = 3 offline_failed_login_delay = 0
[domain/fsmpi.rwth-aachen.de] ad_domain = fsmpi.rwth-aachen.de krb5_realm = FSMPI.RWTH-AACHEN.DE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad enumerate = true ldap_user_fullname = displayName krb5_lifetime = 48h krb5_renewable_lifetime = 200h krb5_renew_interval = 30m ad_gpo_access_control = disabled ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
in sssd_nss.log
(Wed Sep 18 14:40:38 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Wed Sep 18 14:41:08 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Wed Sep 18 14:41:38 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Hi,
looks like the backend has issues to connect to an AD DC. Please add debug_level=9 to the [domain/...] section of sssd.conf, restart SSSD, run some tests and check sssd_domain.name.log for issues which cause the backed to switch into offline mode (or send it).
bye, Sumit
Best regards Rikus
Sumit Bose sbose@redhat.com hat am 16. September 2019 18:01 geschrieben:
On Mon, Sep 16, 2019 at 10:37:11AM +0200, Hinrikus Wolf wrote:
Hi,
Sumit Bose sbose@redhat.com hat am 16. September 2019 08:23 geschrieben: Hi,
I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'?
Yes, that's what I mean.
I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly.
The filter works. I just in case tried it again with ldapsearch but we are using this filter for several applications which are supporting ldap.
Hi,
I tried the ldap_search_base you've sent earlier (adopted to my setup) and it worked as expected, i.e. disabled users are not shown.
Can you share your complete sssd.conf (sanitized if needed) and if possible the sssd_nss.log and the domain log both with debug_level=9?
bye, Sumit
Best regads Rikus
bye, Sumit
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Hinrikus Wolf
Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen
Telefon: Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 fs@fsmpi.rwth-aachen.de https://www.fsmpi.rwth-aachen.de _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Sep 12, 2019 at 12:50 PM Hinrikus Wolf hinrikus@fsmpi.rwth-aachen.de wrote:
I have implemented the ldap_saerch_base. But the disabled users are still listed in
getent passwd
That means they are present for PAM.
Not necessarily.
If you did not wipe the sssd cache after you changed the configuration, sssd can still return hits from the cache, even if those entries are no longer in the data provider.
This is probably more than is necessary, but this is how I wipe the cache:
$ systemctl stop sssd.service $ rm /var/lib/sss/db/* /var/lib/sss/mc/* /var/lib/sss/pipes/* \ /var/lib/sss/pipes/private/* /var/lib/sss/pubconf/* \ /var/lib/sss/pubconf/krb5.include.d/* $ systemctl start sssd.service
If you do that, you should only see entries returned if the data provider finds them.
sssd-users@lists.fedorahosted.org
-
Hinrikus Wolf -
Jakub Hrozek -
James Ralston -
Lukas Slebodnik -
Sumit Bose