#3734 AD idmap does not display builtin groups

Created 16 days ago by firstyear
Modified 16 days ago

When using ldap+ad schema, builtin groups are not displayed in the list of memberships.

Older versions of sssd will inconsistently display and remove these (freebsd for example).

This can be seen in logs:

(Wed May  9 14:10:59 2018) [sssd[be[blackhats.net.au]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): Processing membership SID [S-1-5-32-549]
(Wed May  9 14:10:59 2018) [sssd[be[blackhats.net.au]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-549] is a built-in one.
(Wed May  9 14:10:59 2018) [sssd[be[blackhats.net.au]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0400): Skipping built-in object.

Rather than blanket skipping builtins, it could be a configurable choice to allow builtins to be idmapped. This may make sense in single domain configurations, but may not be relevant in forest or trust topologies.

At the least, it could be good to advertise this elimination of builtins in the man page.

Login to comment on this ticket.