On Tue, Oct 24, 2017 at 12:28:53PM -0000, rdratlos(a)yahoo.co.uk wrote:
understood. The configuration seems to be correct.
> This is to make sure that UIDs and GIDs are consistent
> for Samba components which might ask winbind directly for IDs and other
> applications which will use the system's nss interfaces.
This is exactly the reason, why I want winbind to use the idmap_sss backend.
I have seen that the mapping is cached by at least three caches (windbind: gencache,
winbindd_cache; sssd: sss cache). Are there any timeout recommendations for sssd and
winbindd caches for the mapping to work properly?
If you start with empty caches on the winbind side the results should
stay the same because changes in the mapping should be very rare. Please
note the by default 'idmap cache time' is 1 week because of the rare
changes, see man smb.conf for more details.
Also, is there an easy way to log sss_idmap backend interworking with winbind?
Not an easy we but SSSD will add log messages like:
(Tue Oct 24 13:41:22 2017) [sssd[nss]] [get_client_cred] (0x4000): Client creds:
euid egid pid.
if debug_level=9. With the help of the pid you can identify which
request comes from winbind.
I had following wrong entry in the the caches for a long time (with several reboots,
restarts of winbind d and sssd):
wbind -i rdratlos (from windbindd with sss_idmap)
getent passwd rdratlos (from sssd)
Only a combination of
I would expect that the above one is not needed because 'getent passwd
rdratlos' already returned the expected results.
> net cache flush
> systemctl restart winbindd
> seemed to have fixed this to:
> wbind -i rdratlos (from windbindd with sss_idmap)
> rdratlos:*:1000:513:Thomas Xyz:/home/MYDOMAIN/rdratlos:/bin/false
> Best regards
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org