Learn more about these different git repos.
Other Git URLs
Handling group memberships of AD users from a trusted domain has a bit of a history. In the original design the group-memberships where taken from the PAC. This meant that group-membership information was only available after a user logged in to a specific host and only on this host. To allow AD users to be members of IPA groups the IPA KDC added SIDs of IPA groups where the AD user is a member of into the PAC for this user.
Over the time there were request to let the 'id' command line utility show the full list of groups even for AD users which are not logged in. Support for this was added recently in SSSD's IPA provider and on the FreeIPA server side.
If the SSSD cache entry of an IPA group with external member expires SSSD looks up the group members in the IPA LDAP server but since external memberships are not handled as local IPA members (RFC3207bis) the external members are not found and would be removed from the cache. #2492 mitigates this by making sure that members from different domains are not removed from the cache. Nevertheless it would be better to enhance the group lookup code for IPA groups in a way that it can resolve external members on its own.
Since this is IPA specific the changes should be made in the IPA provider to avoid regressions in the common LDAP group lookup code. On the other hand redundant LDAP requests should be avoided. A plugin scheme with a list of additional member attributes and a tevent request to resolve the additional member attributes might be a way to cover both requirements because the additional attributes can be requested in the same LDAP request as the plain RFC2307bis members and changes to the common group lookup code can be kept very localized and will only be executed if the plugin is available.
If this ticket is fixed the temporary solution from #2492 can be removed.
milestone: NEEDS_TRIAGE => SSSD 1.13 beta
owner: somebody => preichl
For now, let's leave this in 1.13, but lower the priority.
priority: major => minor
We will only document that initgroups must be run in this scenario.
milestone: SSSD 1.13 beta => SSSD 1.13 backlog
Mass-moving tickets not planned for the next two releases.
Please reply with a comment if you disagree about the move..
milestone: SSSD 1.13 backlog => SSSD 1.15 beta
rhbz: => todo
We need to fix this ticket sooner than we thought to enable slapi-nis to work properly. Taking ownership (and for now moving to NEEDS_TRIAGE..)
milestone: SSSD 1.15 beta => NEEDS_TRIAGE
priority: minor => critical
sensitive: => 0
cc: => abbra
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1300740
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1300740 1300740]
owner: preichl => jhrozek
status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.13.4
cc: abbra => abbra, orion
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1310664 (Fedora)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1300740 1300740] => [https://bugzilla.redhat.com/show_bug.cgi?id=1300740 1300740], [https://bugzilla.redhat.com/show_bug.cgi?id=1310664 1310664]
patch: 0 => 1
resolution: => fixed
status: assigned => closed
Metadata Update from @sbose:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.4
to comment on this ticket.