#2178 AD groups with domain-local scope should be filtered out for trusted domains
Closed: Fixed None Opened 6 years ago by sbose.

As the name 'domain-local' implies, groups with this scope are only valid in their local domain and should not be used outside. When e.g. looking at the PAC from a trusted domain only groups with global and universal scope are listed here.

When resolving the group memberships of users from trusted domains groups with a domain-local scope should be treated as non-POSIX groups. This has the advantage that nested-group memberships are still visible in the caches compared to completely ignoring those groups.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.3
rhbz: => 0

Fields changed

rhbz: 0 =>

resolution: => fixed
status: new => closed

Fields changed

changelog: => The AD provider is able to resolve group memberships for groups with Global and Universal scope.
The initgroups (get groups for user) operation for users from trusted AD domains was mode reliable by reading the required tokenGroups attribute from LDAP instead of Global Catalog

Metadata Update from @sbose:
- Issue set to the milestone: SSSD 1.11.3

2 years ago

Login to comment on this ticket.