Learn more about these different git repos.
Other Git URLs
Some Linux distributions recommend the use of the "User Private Group" (UPG) scheme, e.g. see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-private-groups.html
Under the UPG scheme, every user created gets their own UPG with a GID corresponding to the UID of the user. The user's primary group is set as as the GID of the UPG.
From the above article: "Using user private groups makes it simpler and safer to manage file and directory permissions because umask defaults only have to restrict user access, not group access."
A generic instance of Microsoft Active Directory does not by default contain UPGs. Instead, on an SSS-enabled box, Active Directory users must have their primary group set to something else (typically "Domain Users"). This means that systems administrators must be more careful about the group ownership of files and folders. For instance home directories must be set with mode 0700 rather than mode 0770.
The feature request is for a new configuration option "enable_virtual_user_private_groups". By default this option should be set to "false" (disabled), but when enabled it will have the following effect:
When a program makes a user-related API call (getpwid, getpwnam, etc) and this is handled by SSS, if no real POSIX primary group is set for the user, the user's primary group GID will be returned as the same value as their UID
When a program makes a group-related API call (getgrgid, getgrnam etc), if the group requested does not actually exist in AD, but has the same name or ID (depending on the call) as an existing AD user, SSS will return a "virtual" group entry which has:
With this feature added, sites which use an unextended Microsoft Active Directory as their authentication and directory source, can gain the benefit of the UPG scheme without making extensive changes to their Active Directory installation.
This RFE sounds quite similar to #1872, can you check if this is the case and close the ticket as duplicate.
Yes, it is similar, although my request gives more detail and suggests how it could implemented.
Actually, you can close this. I'll leave the information on #1872.
This is a duplicate of #1872.
resolution: => duplicate status: new => closed
Metadata Update from @richardgrainger: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3739
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.