Learn more about these different git repos.
Other Git URLs
Some AD provider option defaults are different from their default values mentioned in sssd-ldap or sssd-krb5 man pages. I am creating a general ticket for this under the assumption that there are other options i'm not aware of which differ but these two I came across myself during troubleshooting.
krb5 provider example
Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. The keytab is checked for entries sequentially, and the first entry with a matching realm is used for validation. If no entry matches the
realm, the last entry in the keytab is used. This process can be used to validate environments using cross-realm trust by placing the appropriate keytab entry as the last entry or the only entry in the keytab file.
(Thu Oct 6 14:41:05 2016) [sssd[be[AD.JSTEPHEN]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE
ldap provider example
Specifies that SSSD should attempt to map user and group IDs from the ldap_user_objectsid and ldap_group_objectsid attributes instead of relying on ldap_user_uid_number and ldap_group_gid_number.
Currently this feature supports only ActiveDirectory objectSID mapping.
(Thu Oct 6 14:41:05 2016) [sssd[be[AD.JSTEPHEN]]] [dp_get_options] (0x0400): Option ldap_id_mapping is TRUE
The 'ldap_id_mapping' example above is not the best example because the sssd-ad man page does discuss id mapping in some detail however there is nothing mentioned about krb5 validate in the sssd-ad man page.
Sumit suggested that we should add the different AD provider default value in the ldap/krb5 provider man page and also in the ad provider man page.
sbose| justin-time, the defaults are different in the plain krb5 and the AD provider. Would you mind to file a ticket to update the man page accordingly?
justin-tim| sbose: sure, should the option be added to the sssd-ad man page then or a conditional note in the sssd-krb5 man page?
sbose| justin-time, I guess best would be both, it would be redundant, but might help the user to find the information he is looking for.
owner: somebody => jstephen
status: new => assigned
In general I agree. I just wonder if documenting the different defaults just in sssd-ad man page might be more concise (our manpages are already quite big). On the other hand, splitting the options that are reused but with different defaults in different providers might allow us to split those options into included xml files and then only have a single place to change defaults at.
I think I would lean towards the second option and put the low-level kerberos options into a separate section in sssd-ad man page, but that's just my quick opinion :)
We'll gladly review a PR, in the meantime, moving to Patches welcome.
milestone: NEEDS_TRIAGE => SSSD Patches welcome
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1391064 (Red Hat Enterprise Linux 7)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1391064 1391064]
milestone: SSSD Patches welcome => SSSD 1.15 Alpha
resolution: => fixed
status: assigned => closed
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1416526 (Red Hat Enterprise Linux 7)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1391064 1391064] => [https://bugzilla.redhat.com/show_bug.cgi?id=1391064 1391064], [https://bugzilla.redhat.com/show_bug.cgi?id=1416526 1416526]
Metadata Update from @jstephen:
- Issue assigned to jstephen
- Issue set to the milestone: SSSD 1.15.0
to comment on this ticket.