Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified
"ldap_idmap_helper_table_size" directive value in the host sssd.conf is set
at the parent domain instead of the child domain, which remains at the
default of 10 (the child domain is a not a domain tree).
Forest:
dvc.darkvixen.com
Parent domain:
dvc.darkvixen.com (parent non-decitated forest root domain)
Child domain:
lab.dvc.darkvixen.com
My understanding is that no "subdomain_provider" directive is needed for
this configuration, and the "subdomain_inherit" directive does not support
the inheritance of the "ldap_idmap_helper_table_size" directive.
The sanitized sssd.conf:
[sssd]
config_file_version = 2
services = nss,pam,pac
domains =
lab.dvc.darkvixen.com
[nss]
filter_users = root
filter_groups = root
[pam]
[pac]
[
domain/lab.dvc.darkvixen.com]
id_provider = ad
access_provider = ad
enumerate = false
cache_credentials = true
ldap_idmap_helper_table_size = 20
ad_site = DarkVixenCorp
ad_hostname =
darkvixen200.lab.dvc.darkvixen.com
ad_access_filter =
DOM:LAB.DVC.DARKVIXEN.COM:
(memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
From the domain log:
[dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
[sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding
domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636]
[sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100):
Adding new ID mapping [
dvc.darkvixen.com
][S-1-5-21-623326418-92578587-4020003380][8636]
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option
ldap_idmap_helper_table_size has value 10
[sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding
domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675]
[sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [
lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675]
From the relevant DC:
~# Get-ADForest
ApplicationPartitions :
{DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com,
DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com,
DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com}
CrossForestReferences : {}
DomainNamingMaster :
DARKVIXEN161WIN.dvc.darkvixen.com
Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com}
ForestMode : Windows2012R2Forest
GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com,
DARKVIXEN164WIN.lab.dvc.darkvixen.com}
Name :
dvc.darkvixen.com
PartitionsContainer :
CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com
RootDomain :
dvc.darkvixen.com
SchemaMaster :
DARKVIXEN161WIN.dvc.darkvixen.com
Sites : {DarkVixenCorp}
SPNSuffixes : {}
UPNSuffixes : {}
Is this a bug fixed with later daemons or is there additional configuration
required ?
Many thanks,
-- lawrence