Learn more about these different git repos.
Other Git URLs
We've seen some cases where, due to Active Directory hardening, the tokenGroups attribute is not readable.
This results in no supplementary groups being fetched for a user. At the moment, it is quite hard for an admin to debug this issue unless they know what tokenGroups is and what purpose it servers.
We should either: - warn loudly (SSSDBG_IMPORTANT_INFO) that tokenGroups came back empty - perhaps even warn to syslog? But probably only once to avoid flooding syslog on each initgroups request - we could even fall back to non-tokenGroups LDAP crawling. I don't know myself if this is preferable or not, on one hand this would make SSSD work, on the other hand, failing hard and telling the admin which knob to switch might actually enable them better to fix the issue.
Metadata Update from @jhrozek: - Issue tagged with: easyfix
We should IMO fail and give hint in error message what needs to be done for SSSD to work in both debug logs and syslog. I do not like falling back to non-tokengroups mode automatically.
I am actually working on something similar right now for a GPO server side configuration issue. I can fix these two things together.
Metadata Update from @mzidek: - Issue assigned to mzidek
Metadata Update from @pbrezina: - Issue tagged with: Future milestone
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4838
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.