It seems that auth_provider cannot be none when using local as the id_provider.
On Wed, Mar 25, 2015 at 07:46:31PM -0400, Dmitri Pal wrote:On 03/25/2015 05:13 PM, Matt John wrote: >>On 25 Mar 2015, at 20:53, Michael Ströder <email@example.com> wrote: >> >>Matt John wrote: >>>We currently have two ldap servers (this cannot be changed) where one is >>>used for user authentication and the other provides information on >>>automounts. The ldap server used for automounts only contains a subset of >>>the users in the other ldap server as not all users are able to, or have >>>the need to, log into our systems. >>Disclaimer: I have no personal experience with multi-domain sssd config for distributed users/groups/sudoers/automap entries (except local and LDAP being used side-by-side). >> >>But for forcing all user information to come from the [domain/authd] I'd try to set: >> >>[domain/autofsd] >>[..] >>id_provider = none >>auth_provider = none >>[..] >Setting those options for the autofsd results in sssd failing to start. Looking through the logs nothing jumps out apart form these lines: > >[sssd[be[autofsd]]] [be_process_init] (0x0010): fatal error initializing data providers >[sssd[be[autofsd]]] [main] (0x0010): Could not initialize backend  >[sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching. >[sssd] [mt_svc_exit_handler] (0x0040): Child [autofsd] exited with code  >[sssd] [mt_svc_exit_handler] (0x0010): Process [autofsd], definitely stopped! > >_______________________________________________ >sssd-users mailing list >firstname.lastname@example.org >https://lists.fedorahosted.org/mailman/listinfo/sssd-users Based on what I know about SSSD it might currently assume that automount data and user data come from the same identity source and share same connection. But I would leave to SSSD gurus provide more details in the morning.I guess we require id_provider to be != none. Sorry, then I lead you down the wrong path a bit on serverfault. The requirement might be a relic from the past where domains only served identity and authentication -- I guess it's time to change it, can you open a ticket? Also can you try a config like this (again, untested): [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, autofs domains = authd, autofsd [nss] filter_groups = root filter_users = root [pam] [autofs] [domain/autofsd] # The local database would be empty id_provider = local auth_provider = none ldap_id_use_start_tls = True cache_credentials = False # You can also set the ldap_search_base to a part of the tree that only serves autofs data ldap_search_base = dc=test,dc=example.com ldap_uri = ldap://ldap1.example.com/ ldap_tls_cacert = /etc/ssl/certs/example.pem autofs_provider = ldap ldap_autofs_search_base = dc=test,dc=example.com [domain/authd] # This domain is unchanged _______________________________________________ sssd-users mailing list email@example.com https://lists.fedorahosted.org/mailman/listinfo/sssd-users