Op Woensdag, 24-01-2018 om 16:45 schreef Jakub Hrozek:
> On Wed, Jan 24, 2018 at 10:10:11AM -0500, Geoff Goehle wrote:
> > Sorry about the line breaks. Adding "enable_files_domain = false" to
the [sssd] section fixed the issue. Just out of curiosity, could I ask what that does?
Its not in the man page.
>
> SSSD has a feature which mirrors the local /etc/passwd and /etc/group
> files for faster lookups of local users without having to enable nscd
> which is tricky to operate together with sssd, especially if you run
> sssd for a remote domain, too:
>
https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers
> But I'm surprised that Debian would enable this feature without changing
> the nsswitch.conf order like Fedora did. They probably should disable
> the files domain by default..
>
> The files domain is currently identity-only and no authentication is
> performed. That, together with the duplicate users and the files domain
> running by default has been causing the failures for you..
On a side-note: I just tested this enable_files_domain and it seems using it results in
the next domain still being queried for local users (verified by sifting through the ldap
server logs). Using an explicit domain with id_provider=files apparently works differently
(that domain answers and the next one is not queried), which is not very transparent.
Is this expected?
What was the order of the explicit domains? Note the implicit domain is
always prepended before any other domain..