It seems that auth_provider cannot be none when using local as the
id_provider.
[sssd] [confdb_get_domain_internal] (0x0010): Local ID provider does
not support [none] as an AUTH provider.
[sssd] [confdb_get_domains] (0x0010): Error (22 [Invalid argument])
retrieving domain [autofsd], skipping!
On Thu, 26 Mar, 2015 at 9:18 AM, Jakub Hrozek <jhrozek(a)redhat.com>
wrote:
On Wed, Mar 25, 2015 at 07:46:31PM -0400, Dmitri Pal wrote:
> On 03/25/2015 05:13 PM, Matt John wrote:
> >>On 25 Mar 2015, at 20:53, Michael Ströder <michael(a)stroeder.com>
> wrote:
> >>
> >>Matt John wrote:
> >>>We currently have two ldap servers (this cannot be changed)
> where one is
> >>>used for user authentication and the other provides information
> on
> >>>automounts. The ldap server used for automounts only contains a
> subset of
> >>>the users in the other ldap server as not all users are able to,
> or have
> >>>the need to, log into our systems.
> >>Disclaimer: I have no personal experience with multi-domain sssd
> config for distributed users/groups/sudoers/automap entries (except
> local and LDAP being used side-by-side).
> >>
> >>But for forcing all user information to come from the
> [domain/authd] I'd try to set:
> >>
> >>[domain/autofsd]
> >>[..]
> >>id_provider = none
> >>auth_provider = none
> >>[..]
> >Setting those options for the autofsd results in sssd failing to
> start. Looking through the logs nothing jumps out apart form these
> lines:
> >
> >[sssd[be[autofsd]]] [be_process_init] (0x0010): fatal error
> initializing data providers
> >[sssd[be[autofsd]]] [main] (0x0010): Could not initialize backend
> [2]
> >[sssd] [sbus_dispatch] (0x0080): Connection is not open for
> dispatching.
> >[sssd] [mt_svc_exit_handler] (0x0040): Child [autofsd] exited with
> code [3]
> >[sssd] [mt_svc_exit_handler] (0x0010): Process [autofsd],
> definitely stopped!
> >
> >_______________________________________________
> >sssd-users mailing list
> >sssd-users(a)lists.fedorahosted.org
> >https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
> Based on what I know about SSSD it might currently assume that
> automount
> data and user data come from the same identity source and share same
> connection.
> But I would leave to SSSD gurus provide more details in the morning.
I guess we require id_provider to be != none. Sorry, then I lead you
down the wrong path a bit on serverfault. The requirement might be a
relic from
the past where domains only served identity and authentication -- I
guess it's time to change it, can you open a ticket?
Also can you try a config like this (again, untested):
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, autofs
domains = authd, autofsd
[nss]
filter_groups = root
filter_users = root
[pam]
[autofs]
[domain/autofsd]
# The local database would be empty
id_provider = local
auth_provider = none
ldap_id_use_start_tls = True
cache_credentials = False
# You can also set the ldap_search_base to a part of the tree that
only serves autofs data
ldap_search_base =
dc=test,dc=example.com
ldap_uri =
ldap://ldap1.example.com/
ldap_tls_cacert = /etc/ssl/certs/example.pem
autofs_provider = ldap
ldap_autofs_search_base =
dc=test,dc=example.com
[domain/authd]
# This domain is unchanged
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users