#3734 AD idmap does not display builtin groups
Opened 9 months ago by firstyear. Modified 8 months ago

When using ldap+ad schema, builtin groups are not displayed in the list of memberships.

Older versions of sssd will inconsistently display and remove these (freebsd for example).

This can be seen in logs:

(Wed May  9 14:10:59 2018) [sssd[be[blackhats.net.au]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): Processing membership SID [S-1-5-32-549]
(Wed May  9 14:10:59 2018) [sssd[be[blackhats.net.au]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-549] is a built-in one.
(Wed May  9 14:10:59 2018) [sssd[be[blackhats.net.au]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0400): Skipping built-in object.

Rather than blanket skipping builtins, it could be a configurable choice to allow builtins to be idmapped. This may make sense in single domain configurations, but may not be relevant in forest or trust topologies.

At the least, it could be good to advertise this elimination of builtins in the man page.

Thank you for filing the bug.

I was wondering if you are interested in submitting a patch for this?

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome

8 months ago

Login to comment on this ticket.