sss_override - when to run it?
by John Hearns
We have an existing set of users in a local passwd file
I want to run sss_override to create mappings from the AD SID numbers to
the existing uid numbers.
What is the concensus on running sss_override?
I can script it to either parse through the existing passwd file and make
an override entry per user,
or to parse the file and create an import file which is run once with
import-user
But when is a good time to run this?
In a daily cron job
When sssd is started, which would involve editing the systemd unit file
Creating a new systemd service which depends on sssd.service . This service
runs sss_override and then restarts sssd.service
Or am I misunderstanding something?
I am assuming here we have on-disk sssd databases. If the databases are on
a tmpfs then clearly the sss_override must be run at boot time by one of
the above methods also.
5 years, 9 months
sss_override user-export is empty
by vadud3@gmail.com
I made a change in UID for a user with sss_override but user-export to a
file does not export anything. I am using sssd version 1.15.2. Is this a
bug or may be I am doing something wrong? I followed the steps from this
https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/
I ran these as root
# sssd --version
1.15.2
# sss_override user-add mwvande -u 4311
# systemctl restart sssd
# sss_override user-export foo
# cat foo
(no output)
I also tried it without the restart
# sss_override user-add mwvande -u 4311
# sss_override user-export foo
# cat foo
(no output)
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
5 years, 9 months
Logging of scheduled tasks - password renewal
by John Hearns
After 30 days of running sssd I found that my test workstation no longer
connected to the domain.
The machine account password had timed out.
I now run a daily cron job using msktutil wihch will auto-update the
password.
However I should not have to do this. sssd should update the machine
password.
I can see entries in the logs such that the machine account password
renewal task is enabled.
Then:
[be_ptask_execute] (0x0400): Task [AD machine account password renewal]:
executing task, timeout 60 seconds
How though can I see if this taks is successful or not?
I realise that if the machine account is less than 30 days old the task
probably silently completes OK without any logging.
The version of sssd is 16.1 running on Ubuntu
John Hearns
5 years, 9 months
Who and w not nss aware?
by John Hearns
It seems bizarre, but the who and w utilities say there are no users on my
system.
My account is an Active Direcotry account and sssd is running.
johe@ibis:~$ who
johe@ibis:~$ w
10:09:26 up 16:47, 0 users, load average: 0.60, 0.59, 0.48
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
I guess this is known behaviour?
5 years, 9 months