Learn more about these different git repos.
Other Git URLs
We currently use the tokenGroups control against one Ad domain server to retrieve the list of groups a user belongs too, not just for random initgroups calls but also during authentication.
We should instead rely on the MS-PAC at authentication time and use the Global Catalog to reslove SIDs into names/Posix IDs.
This is because tokenGroups is limited to the specific domain and may not be able to retrieve memberships that span through a forest, it also may have other restrictions due to the fact we use the machine account to call the tokenGroups control instead of the user's credentials.
We should use the tokenGroups method as a fallback if the user never logged in, but use MS-PAC/Global Catalog lookups for the normal auth case.
Related to #364
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0
priority: major => critical
summary: Use MS-PAC to retrieve user's group list => [RFE] Use MS-PAC to retrieve user's group list
type: defect => enhancement
design_review: => 0
selected: => Want
owner: somebody => sbose
review: => 0
patch: 0 => 1
status: new => assigned
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/GlobalCatalogLookups
changelog: => Not visible to end user. It just more reliable to read the group memberships from PAC and for trusted users the only reliable way.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=969883 (Red Hat Enterprise Linux 7)
rhbz: 0 => [https://bugzilla.redhat.com/show_bug.cgi?id=969883 969883]
resolution: => fixed
status: assigned => closed
Metadata Update from @simo:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta
to comment on this ticket.