Hi Lukas,
On Wed, May 6, 2015 at 1:47 AM, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
On (06/05/15 01:12), James Ralston wrote:
> enumerate = true
I Hope it was just for testing purposes. We do not recommend to
enable enumeration.
I know it's not recommended. I'll address this in a separate
response.
> ldap_id_mapping = true
You can remove this line, id-mapping is enabled by default for
id_provider ad
> ldap_sasl_mech = GSSAPI
> ldap_schema = AD
Previous 2 lines are efault for id_provider ad as well
I know. (I added those lines more for illustration purposes than
anything else.)
> offline_failed_login_attempts = 3
This line shoudl be in [pam] section, it will have effect only if
"cache_credentials" is enabled in domain section.
Ah; good to know. I will correct that. Thanks.
I would be curious where did you inspire in sssd.conf. So we can
improve it.
I created it myself. So, blame me. ;-)
Distributions grups are filtered by default.
Technet[1] says:
"Distribution groups are not security-enabled, which means that
they cannot be listed in discretionary access control lists
(DACLs). If you need a group for controlling access to shared
resources, create a security group."
OK.
A suggestion: it would have been very helpful if the debug messages
had contained some statement like "ignoring distribution group
my-group".
That would have made it much more clear what was happening, which (as
I understand it) was:
1. sssd was ignoring a distribution group. (This is normal,
expected behavior.)
2. sssd was trying to cache the distribution group, but failing
due to ticket/2588. (This is bug, not normal behavior.)
> (Wed May 6 00:03:06 2015) [sssd[be[example.org]]]
> [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or
> value exists]
^^^^^^^^^^^^^^^^^
here is a problem
It is very likely upstream bug[2] with binary objectGUID
OK, thanks for the explanation and the pointer.
For testing purposes you can try to use pre-release[3] of upstream
1.12.5 it should be released within few days and it contains fix for
bug[2] and also other fixes.
OK.
What do you recommend doing for RHEL6 (currently on
1.11.6-30.el6_6.4)?
1. Use your 1.12.5 packages on RHEL6?
2. Wait for Red Hat to backport the patch for ticket/2588 to
their 1.11.6 branch?
3. Wait for Red Hat to rebase RHEL6 to 1.12.5?
4. Backport the patch for ticket/2588 to 1.11.6-30.el6_6.4
myself?
5. Something else?
Thanks...