On Thu, Feb 02, 2017 at 03:56:22PM -0000, smfrench(a)gmail.com wrote:
In a scenario in which an sssd node joined to Active Directory
crashed and had to be rebuilt, restoring key files from backup, other than the obvious
files in /etc (for krb5, sssd, nss etc.) are there other sssd/krb5 persistent databases
(/var/lib/sss/db ?) that would have to be restored (ctdb already handles Samba related
databases like secrets.tdb) in order to recover a system after failure.
What sssd files (if any) other than those in /etc directory would be required to restore
a system that is joined to an AD domain after failure?
/var/lib/sss/db is you use client-side overrides (defined with the
sss_override tool) or if it is expected users should be able to log in
offline since the cache also stores password.
/var/lib/sss/secrets if you store secrets in sssd (see man sssd-secrets)
Unless you use any of the two, then I think restoring the keytab and the
config files would be OK. On the other hand, there is nothing wrong with
restoring the caches as well and might save you troubles later should
you decide to use either offline auth or overrides.