[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Re: sssd and clustering/ctdb
From:       Sumit Bose <sbose () redhat ! com>
Date:       2017-01-30 8:09:07
Message-ID: 20170130080907.GO894 () p ! Speedport_W_724V_Typ_A_05011603_00_011
[Download RAW message or body]

On Fri, Jan 27, 2017 at 07:24:26PM -0000, smfrench@gmail.com wrote:
> We were noticing some strange problems in two node clustered (ctdb/samba) sssd, \
> cases in which both nodes joined AD fine, but "getent passwd <username>" worked for \
> only a subset of the remote AD users on one node, but worked fine on the other.    \
> The config seemed to be identical on the two nodes - didn't see any obvious \
> problems with sssd configuration, but clearly the two nodes behave differently.

It is hard to say without logs what might be the issue here, especially
since you say that it works for a subset of users.

> 
> Are there instructions on setting up sssd in clustered environment (e.g. presumably \
> similar to the clustered ctdb/samba/ceph or gluster that RHEL might ship)? or for \
> the clustered case is it safer to simply use winbind?

SSSD's libwbclient was implemented to make simple some simple use cases
possible, namely running a Samba file server in an FreeIPA domain. It
can use used to run similar simple setup in an AD domain with a number
of restrictions compared to winbind.

ctdb setups are so far not tested by me and I'm not aware of any other
tests or setups either. There are afaik also some special areas where
ctdb and winbind depend on each other. e.g. the shared hostkey in
secrets.tbd. So, yes, I would it is safer to use winbind for the
clustered case.

In the long run I think best to make sure winbind and SSSD can run
together on the same system and use the same ID mapping e.g. with the
help of SSSD idmap plugin for winbind. See e.g. the thread you started
on samba-technical including Ralph's effort to bring the plugin to Samba
upstream or my talk on last year's SambaXP
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Sumit_Bose-WinbindAndSSSDCanTheyBeFriends/



> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


[prev in list] [next in list] [prev in thread] [next in thread]