You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current iteration of the Winbind backend allows defining "idmap backend" and configures "idmap uid" and "idmap gid" based on the administrator provided id ranges.
However, the syntax is slightly different what is being suggested in the manual pages and if more than one domains are using Winbind then there might be issues with the current approach. idmap_rid(8) has an example how to configure rid properly for several domains:
workgroup = MAIN
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config MAIN : backend = rid
idmap config MAIN : range = 10000 - 49999
idmap config TRUSTED : backend = rid
idmap config TRUSTED : range = 50000 - 99999
It seems that if one doesn't explicitly set non-default idmap backend
then the tdb backend will get used meaning that users in a domain will
get different uids on different systems using the SSSD/Winbind backend.
And the current configuration file being generated by SSSD for the
winbind daemon does not include any domain specific configuration for
the id mappings. So if an organization has two AD domains like PROD and
TEST (a rather common case when preparing for a DC update, e.g., PROD is
AD 2003 and TEST is for AD 2008 testing), how can one configure the
backend to be used with both of these domains if IdM for UNIX is not in use?
If needed please feel free to split this ticket into separate ones for each of the items mentioned in the comments here.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1095
Current iteration of the Winbind backend allows defining "idmap backend" and configures "idmap uid" and "idmap gid" based on the administrator provided id ranges.
However, the syntax is slightly different what is being suggested in the manual pages and if more than one domains are using Winbind then there might be issues with the current approach. idmap_rid(8) has an example how to configure rid properly for several domains:
Comments
Comment from myllynen at 2011-11-28 09:38:35
Also if using idmap_ad then you might also want to set the winbind nss info option.
Comment from myllynen at 2011-12-01 15:28:47
There was some discussion related this in the mailing list, particularly related idmap_tdb and idmap_rid. From https://fedorahosted.org/pipermail/sssd-devel/2011-November/007645.html:
If needed please feel free to split this ticket into separate ones for each of the items mentioned in the comments here.
Comment from dpal at 2011-12-01 15:39:14
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.8.0
Comment from dpal at 2011-12-10 18:15:45
Fields changed
milestone: SSSD 1.8.0 => NEEDS_TRIAGE
Comment from dpal at 2011-12-10 18:49:51
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.8 AD Integration NEEDS TRIAGE
Comment from dpal at 2011-12-12 16:28:08
Fields changed
milestone: SSSD 1.8 AD Integration NEEDS TRIAGE => SSSD Deferred
Comment from dpal at 2012-01-19 03:24:11
Fields changed
rhbz: => 0
Comment from dpal at 2012-08-16 21:53:38
Since we dropped the winbind provider this ticket is not applicable any more.
blockedby: =>
blocking: =>
feature_milestone: =>
proposed_priority: => Undefined
resolution: => wontfix
status: new => closed
Comment from myllynen at 2017-02-24 14:53:57
Metadata Update from @myllynen:
The text was updated successfully, but these errors were encountered: