Learn more about these different git repos.
Other Git URLs
We currently use the tokenGroups control against one Ad domain server to retrieve the list of groups a user belongs too, not just for random initgroups calls but also during authentication. We should instead rely on the MS-PAC at authentication time and use the Global Catalog to reslove SIDs into names/Posix IDs. This is because tokenGroups is limited to the specific domain and may not be able to retrieve memberships that span through a forest, it also may have other restrictions due to the fact we use the machine account to call the tokenGroups control instead of the user's credentials. We should use the tokenGroups method as a fallback if the user never logged in, but use MS-PAC/Global Catalog lookups for the normal auth case.
Related to #364
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.10 beta rhbz: => 0
priority: major => critical summary: Use MS-PAC to retrieve user's group list => [RFE] Use MS-PAC to retrieve user's group list type: defect => enhancement
design: => design_review: => 0 fedora_test_page: => selected: => Want
owner: somebody => sbose
review: => 0
patch: 0 => 1 status: new => assigned
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/GlobalCatalogLookups
changelog: => Not visible to end user. It just more reliable to read the group memberships from PAC and for trusted users the only reliable way.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=969883 (Red Hat Enterprise Linux 7)
rhbz: 0 => [https://bugzilla.redhat.com/show_bug.cgi?id=969883 969883]
resolution: => fixed status: assigned => closed
Metadata Update from @simo: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.10 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2600
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.