#2178 AD groups with domain-local scope should be filtered out for trusted domains
Closed: Fixed None Opened 8 years ago by sbose.

As the name 'domain-local' implies, groups with this scope are only valid in their local domain and should not be used outside. When e.g. looking at the PAC from a trusted domain only groups with global and universal scope are listed here.

When resolving the group memberships of users from trusted domains groups with a domain-local scope should be treated as non-POSIX groups. This has the advantage that nested-group memberships are still visible in the caches compared to completely ignoring those groups.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.3
rhbz: => 0

Fields changed

rhbz: 0 =>

resolution: => fixed
status: new => closed

Fields changed

changelog: => The AD provider is able to resolve group memberships for groups with Global and Universal scope.
The initgroups (get groups for user) operation for users from trusted AD domains was mode reliable by reading the required tokenGroups attribute from LDAP instead of Global Catalog

Metadata Update from @sbose:
- Issue set to the milestone: SSSD 1.11.3

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3220

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.