Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set at the parent domain instead of the child domain, which remains at the default of 10 (the child domain is a not a domain tree).
Forest: dvc.darkvixen.com Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain) Child domain: lab.dvc.darkvixen.com
My understanding is that no "subdomain_provider" directive is needed for this configuration, and the "subdomain_inherit" directive does not support the inheritance of the "ldap_idmap_helper_table_size" directive.
The sanitized sssd.conf:
[sssd] config_file_version = 2 services = nss,pam,pac domains = lab.dvc.darkvixen.com
[nss] filter_users = root filter_groups = root
[pam]
[pac]
[domain/lab.dvc.darkvixen.com] id_provider = ad access_provider = ad
enumerate = false cache_credentials = true
ldap_idmap_helper_table_size = 20
ad_site = DarkVixenCorp ad_hostname = darkvixen200.lab.dvc.darkvixen.com
ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM: (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
From the domain log:
[dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [dvc.darkvixen.com ][S-1-5-21-623326418-92578587-4020003380][8636]
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675]
From the relevant DC:
~# Get-ADForest
ApplicationPartitions : {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} CrossForestReferences : {} DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} ForestMode : Windows2012R2Forest GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, DARKVIXEN164WIN.lab.dvc.darkvixen.com} Name : dvc.darkvixen.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com RootDomain : dvc.darkvixen.com SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com Sites : {DarkVixenCorp} SPNSuffixes : {} UPNSuffixes : {}
Is this a bug fixed with later daemons or is there additional configuration required ?
Many thanks,
-- lawrence
Hello again :-)
After finding other directives that seemed to display the same behavior in my environment I parsed the logs more closely and it appears to me that the order of processing/logging directives is from the perspective of the joined domain first. In this case the child domain appears to take the configured directive and the parent is left at the default. Oddly, the parent domain is also referred to as a subdomain in the log.
My setup again:
parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com) child domain: lab.dvc.darkvixen.com (DC darkvixen164win.lab.dvc.darkvixen.com)
The relevant log entries:
[sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain lab.dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to service 'AD'
[sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [ dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]! [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400): subdomain dvc.darkvixen.com is a new one, will create a new sdap domain object
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to service ' dvc.darkvixen.com'
So, my questions now are:
Do I understand this correctly? Is the logging working as intended? Is there a way to expose the runtime configuration of the SSSD, including default configuration directive values (similar to /usr/sbin/sshd -T)?
Many thanks,
-- lawrence
On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney hangarbait@gmail.com wrote:
Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set at the parent domain instead of the child domain, which remains at the default of 10 (the child domain is a not a domain tree).
Forest: dvc.darkvixen.com Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain) Child domain: lab.dvc.darkvixen.com
My understanding is that no "subdomain_provider" directive is needed for this configuration, and the "subdomain_inherit" directive does not support the inheritance of the "ldap_idmap_helper_table_size" directive.
The sanitized sssd.conf:
[sssd] config_file_version = 2 services = nss,pam,pac domains = lab.dvc.darkvixen.com
[nss] filter_users = root filter_groups = root
[pam]
[pac]
[domain/lab.dvc.darkvixen.com] id_provider = ad access_provider = ad
enumerate = false cache_credentials = true
ldap_idmap_helper_table_size = 20
ad_site = DarkVixenCorp ad_hostname = darkvixen200.lab.dvc.darkvixen.com
ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM: (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
From the domain log:
[dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [dvc.darkvixen.com ][S-1-5-21-623326418-92578587-4020003380][8636]
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675]
From the relevant DC:
~# Get-ADForest
ApplicationPartitions : {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} CrossForestReferences : {} DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} ForestMode : Windows2012R2Forest GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, DARKVIXEN164WIN.lab.dvc.darkvixen.com} Name : dvc.darkvixen.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com RootDomain : dvc.darkvixen.com SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com Sites : {DarkVixenCorp} SPNSuffixes : {} UPNSuffixes : {}
Is this a bug fixed with later daemons or is there additional configuration required ?
Many thanks,
-- lawrence
On Thu, Aug 30, 2018 at 05:57:07AM -0400, Lawrence Kearney wrote:
Hello again :-)
After finding other directives that seemed to display the same behavior in my environment I parsed the logs more closely and it appears to me that the order of processing/logging directives is from the perspective of the joined domain first. In this case the child domain appears to take the configured directive and the parent is left at the default. Oddly, the parent domain is also referred to as a subdomain in the log.
My setup again:
parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com) child domain: lab.dvc.darkvixen.com (DC darkvixen164win.lab.dvc.darkvixen.com)
The relevant log entries:
[sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain lab.dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to service 'AD'
[sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [ dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]! [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400): subdomain dvc.darkvixen.com is a new one, will create a new sdap domain object
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to service ' dvc.darkvixen.com'
So, my questions now are:
Do I understand this correctly?
I think yes. For SSSD to domain you are joined to is the most important one, all others are sub-domains.
Is the logging working as intended?
yes, but I agree it is a bit irritating. Although the imap options for sub-domains are shown only the one of the joined domain is of importance. All domains use the same id-mapping setting, the ones from the joined domain. Otherwise it would be hard to avoid id collisions.
Is there a way to expose the runtime configuration of the SSSD, including default configuration directive values (similar to /usr/sbin/sshd -T)?
Currently not, there is 'sssctl config-check' but this does not display values or defaults. There is https://pagure.io/SSSD/sssd/issue/3157 to show values from the config file. You might want to add a comment about showing the default values for all other options as well or open a new ticket for this.
bye, Sumit
Many thanks,
-- lawrence
On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney hangarbait@gmail.com wrote:
Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set at the parent domain instead of the child domain, which remains at the default of 10 (the child domain is a not a domain tree).
Forest: dvc.darkvixen.com Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain) Child domain: lab.dvc.darkvixen.com
My understanding is that no "subdomain_provider" directive is needed for this configuration, and the "subdomain_inherit" directive does not support the inheritance of the "ldap_idmap_helper_table_size" directive.
The sanitized sssd.conf:
[sssd] config_file_version = 2 services = nss,pam,pac domains = lab.dvc.darkvixen.com
[nss] filter_users = root filter_groups = root
[pam]
[pac]
[domain/lab.dvc.darkvixen.com] id_provider = ad access_provider = ad
enumerate = false cache_credentials = true
ldap_idmap_helper_table_size = 20
ad_site = DarkVixenCorp ad_hostname = darkvixen200.lab.dvc.darkvixen.com
ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM: (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
From the domain log:
[dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [dvc.darkvixen.com ][S-1-5-21-623326418-92578587-4020003380][8636]
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675]
From the relevant DC:
~# Get-ADForest
ApplicationPartitions : {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} CrossForestReferences : {} DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} ForestMode : Windows2012R2Forest GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, DARKVIXEN164WIN.lab.dvc.darkvixen.com} Name : dvc.darkvixen.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com RootDomain : dvc.darkvixen.com SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com Sites : {DarkVixenCorp} SPNSuffixes : {} UPNSuffixes : {}
Is this a bug fixed with later daemons or is there additional configuration required ?
Many thanks,
-- lawrence
-- Lawrence Kearney
e: lawrence.kearney@earthlink.net t: +001 706.951.6257 w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thank you Sumit, that helps immensely.
I think adding such a feature would be very useful, so I'll open a new ticket if you remind me where to enter one.
I previously entered a ticket to have the PAM return codes used by the pam_sss module added to the man file for the module (as other modules do), but it has not appeared in any versions I've noticed yet. It would be most helpful for those of us that are incorporating MFA logic in our PAM stacks to explicitly know which return codes are implemented by the daemon.
... but, back to my original point, thank you :-)
-- lawrence
On Thu, Aug 30, 2018 at 6:26 AM Sumit Bose sbose@redhat.com wrote:
On Thu, Aug 30, 2018 at 05:57:07AM -0400, Lawrence Kearney wrote:
Hello again :-)
After finding other directives that seemed to display the same behavior
in
my environment I parsed the logs more closely and it appears to me that
the
order of processing/logging directives is from the perspective of the joined domain first. In this case the child domain appears to take the configured directive and the parent is left at the default. Oddly, the parent domain is also referred to as a subdomain in the log.
My setup again:
parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com) child domain: lab.dvc.darkvixen.com (DC darkvixen164win.lab.dvc.darkvixen.com)
The relevant log entries:
[sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain lab.dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to service 'AD'
[sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [ dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]! [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400): subdomain dvc.darkvixen.com is a new one, will create a new sdap domain object
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to
service '
dvc.darkvixen.com'
So, my questions now are:
Do I understand this correctly?
I think yes. For SSSD to domain you are joined to is the most important one, all others are sub-domains.
Is the logging working as intended?
yes, but I agree it is a bit irritating. Although the imap options for sub-domains are shown only the one of the joined domain is of importance. All domains use the same id-mapping setting, the ones from the joined domain. Otherwise it would be hard to avoid id collisions.
Is there a way to expose the runtime configuration of the SSSD, including default configuration directive values (similar to /usr/sbin/sshd -T)?
Currently not, there is 'sssctl config-check' but this does not display values or defaults. There is https://pagure.io/SSSD/sssd/issue/3157 to show values from the config file. You might want to add a comment about showing the default values for all other options as well or open a new ticket for this.
bye, Sumit
Many thanks,
-- lawrence
On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney hangarbait@gmail.com wrote:
Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified "ldap_idmap_helper_table_size" directive value in the host sssd.conf
is set
at the parent domain instead of the child domain, which remains at the default of 10 (the child domain is a not a domain tree).
Forest: dvc.darkvixen.com Parent domain: dvc.darkvixen.com (parent non-decitated forest root
domain)
Child domain: lab.dvc.darkvixen.com
My understanding is that no "subdomain_provider" directive is needed
for
this configuration, and the "subdomain_inherit" directive does not
support
the inheritance of the "ldap_idmap_helper_table_size" directive.
The sanitized sssd.conf:
[sssd] config_file_version = 2 services = nss,pam,pac domains = lab.dvc.darkvixen.com
[nss] filter_users = root filter_groups = root
[pam]
[pac]
[domain/lab.dvc.darkvixen.com] id_provider = ad access_provider = ad
enumerate = false cache_credentials = true
ldap_idmap_helper_table_size = 20
ad_site = DarkVixenCorp ad_hostname = darkvixen200.lab.dvc.darkvixen.com
ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM:
(memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
From the domain log:
[dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has
value 20
[sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping]
(0x0100):
Adding new ID mapping [dvc.darkvixen.com ][S-1-5-21-623326418-92578587-4020003380][8636]
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400):
Option
ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice
[4675]
[sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ lab.dvc.darkvixen.com
][S-1-5-21-1157061662-2021606532-2751616909][4675]
From the relevant DC:
~# Get-ADForest
ApplicationPartitions : {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} CrossForestReferences : {} DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} ForestMode : Windows2012R2Forest GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, DARKVIXEN164WIN.lab.dvc.darkvixen.com} Name : dvc.darkvixen.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com RootDomain : dvc.darkvixen.com SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com Sites : {DarkVixenCorp} SPNSuffixes : {} UPNSuffixes : {}
Is this a bug fixed with later daemons or is there additional configuration required ?
Many thanks,
-- lawrence
-- Lawrence Kearney
e: lawrence.kearney@earthlink.net t: +001 706.951.6257 w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Aug 30, 2018 at 06:44:42AM -0400, Lawrence Kearney wrote:
Thank you Sumit, that helps immensely.
I think adding such a feature would be very useful, so I'll open a new ticket if you remind me where to enter one.
https://pagure.io/SSSD/sssd/new_issue
I previously entered a ticket to have the PAM return codes used by the pam_sss module added to the man file for the module (as other modules do), but it has not appeared in any versions I've noticed yet. It would be most helpful for those of us that are incorporating MFA logic in our PAM stacks to explicitly know which return codes are implemented by the daemon.
I've seen the ticket but didn't had a chance to update the man page.
... but, back to my original point, thank you :-)
you're welcome.
bye, Sumit
-- lawrence
On Thu, Aug 30, 2018 at 6:26 AM Sumit Bose sbose@redhat.com wrote:
On Thu, Aug 30, 2018 at 05:57:07AM -0400, Lawrence Kearney wrote:
Hello again :-)
After finding other directives that seemed to display the same behavior
in
my environment I parsed the logs more closely and it appears to me that
the
order of processing/logging directives is from the perspective of the joined domain first. In this case the child domain appears to take the configured directive and the parent is left at the default. Oddly, the parent domain is also referred to as a subdomain in the log.
My setup again:
parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com) child domain: lab.dvc.darkvixen.com (DC darkvixen164win.lab.dvc.darkvixen.com)
The relevant log entries:
[sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain lab.dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to service 'AD'
[sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [ dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]! [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400): subdomain dvc.darkvixen.com is a new one, will create a new sdap domain object
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10
[sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to
service '
dvc.darkvixen.com'
So, my questions now are:
Do I understand this correctly?
I think yes. For SSSD to domain you are joined to is the most important one, all others are sub-domains.
Is the logging working as intended?
yes, but I agree it is a bit irritating. Although the imap options for sub-domains are shown only the one of the joined domain is of importance. All domains use the same id-mapping setting, the ones from the joined domain. Otherwise it would be hard to avoid id collisions.
Is there a way to expose the runtime configuration of the SSSD, including default configuration directive values (similar to /usr/sbin/sshd -T)?
Currently not, there is 'sssctl config-check' but this does not display values or defaults. There is https://pagure.io/SSSD/sssd/issue/3157 to show values from the config file. You might want to add a comment about showing the default values for all other options as well or open a new ticket for this.
bye, Sumit
Many thanks,
-- lawrence
On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney hangarbait@gmail.com wrote:
Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified "ldap_idmap_helper_table_size" directive value in the host sssd.conf
is set
at the parent domain instead of the child domain, which remains at the default of 10 (the child domain is a not a domain tree).
Forest: dvc.darkvixen.com Parent domain: dvc.darkvixen.com (parent non-decitated forest root
domain)
Child domain: lab.dvc.darkvixen.com
My understanding is that no "subdomain_provider" directive is needed
for
this configuration, and the "subdomain_inherit" directive does not
support
the inheritance of the "ldap_idmap_helper_table_size" directive.
The sanitized sssd.conf:
[sssd] config_file_version = 2 services = nss,pam,pac domains = lab.dvc.darkvixen.com
[nss] filter_users = root filter_groups = root
[pam]
[pac]
[domain/lab.dvc.darkvixen.com] id_provider = ad access_provider = ad
enumerate = false cache_credentials = true
ldap_idmap_helper_table_size = 20
ad_site = DarkVixenCorp ad_hostname = darkvixen200.lab.dvc.darkvixen.com
ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM:
(memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com)
From the domain log:
[dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has
value 20
[sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping]
(0x0100):
Adding new ID mapping [dvc.darkvixen.com ][S-1-5-21-623326418-92578587-4020003380][8636]
[sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400):
Option
ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice
[4675]
[sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ lab.dvc.darkvixen.com
][S-1-5-21-1157061662-2021606532-2751616909][4675]
From the relevant DC:
~# Get-ADForest
ApplicationPartitions : {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} CrossForestReferences : {} DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} ForestMode : Windows2012R2Forest GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, DARKVIXEN164WIN.lab.dvc.darkvixen.com} Name : dvc.darkvixen.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com RootDomain : dvc.darkvixen.com SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com Sites : {DarkVixenCorp} SPNSuffixes : {} UPNSuffixes : {}
Is this a bug fixed with later daemons or is there additional configuration required ?
Many thanks,
-- lawrence
-- Lawrence Kearney
e: lawrence.kearney@earthlink.net t: +001 706.951.6257 w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Lawrence Kearney
e: lawrence.kearney@earthlink.net t: +001 706.951.6257 w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org