#1558 [RFE] Use MS-PAC to retrieve user's group list
Closed: Fixed None Opened 6 years ago by simo.

We currently use the tokenGroups control against one Ad domain server to retrieve the list of groups a user belongs too, not just for random initgroups calls but also during authentication.
We should instead rely on the MS-PAC at authentication time and use the Global Catalog to reslove SIDs into names/Posix IDs.
This is because tokenGroups is limited to the specific domain and may not be able to retrieve memberships that span through a forest, it also may have other restrictions due to the fact we use the machine account to call the tokenGroups control instead of the user's credentials.
We should use the tokenGroups method as a fallback if the user never logged in, but use MS-PAC/Global Catalog lookups for the normal auth case.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0

Fields changed

priority: major => critical
summary: Use MS-PAC to retrieve user's group list => [RFE] Use MS-PAC to retrieve user's group list
type: defect => enhancement

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Want

Fields changed

owner: somebody => sbose

Fields changed

review: => 0

Fields changed

patch: 0 => 1
status: new => assigned

Fields changed

changelog: => Not visible to end user. It just more reliable to read the group memberships from PAC and for trusted users the only reliable way.

resolution: => fixed
status: assigned => closed

Metadata Update from @simo:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata