id mapping, rfc2307 and real customer environments

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed May 18 09:50:30 UTC 2016

On Wed, May 18, 2016 at 08:51:05AM +0300, Alexander Bokovoy wrote:
> > Recently I've taken a closer look at sssd, but I did not find out yet how
> > to really properly integrate those two in more complex environments. You
> > should open a call with RedHat for deeper questions about this I guess.
> SSSD allows to have multiple 'domains' in its configuration, each domain
> representing one set of related resources. It is possible to make
> separate configurations for rfc2307 and rid-based ranges associated with
> different domains. As long as there will be no overlap between them in
> terms of ID ranges, it should just work.

Winbind also has the ability to have different configurations per domain.

On top, current master winbind has the ability to use overlapping
ranges. So if you have more than one domain in a trusted environment and
each domain has SFU mappings, there is no need anymore to separate mapping
ranges. Of course this is well-defined only as long as the mappings do
not collide, but in typical environments I would expect the admin to
have taken care of it anyway.

The question here at hand is though: Can sssd be configured such that it
looks at custom attributes for shared users pointing at UNIX.EXAMPLE.COM
in a user-defined way and at the same time do windows-only mappings in
its own way? For winbind I'd use some script using the idmap script
backend for the non-UNIX.EXAMPLE.COM domain configurations.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list