#4061 override_gid not working for subdomains
Opened 6 months ago by paziulek. Modified 6 months ago

Hello,

I have noticed that when an user belongs to 123.example.com, and the system is joined to 123.example.com, the override_gid works as it should.
When a user connects from 456.example.com, override_gid is not being honoured.

I have found several posts on the net of people trying to make sssd enforce the specified gid for (sub)domains, but most of the topics simply die without much of explanation if it's even possible, without using sss_override, and the last one is only a workaround, rather than anything that can be called a solution.

The response we have received from RedHat support is:
"According to our KCS articles, it is not possible to override gidNumber for AD user belonging to subdomain using override_gid option in sssd.conf. as a workaround use sss_override tool and assign a different gidNumber. "

For me it is an artificial limitation or bug. rather than something that belongs to the "feature request list"...

Thank you,

Mike


From user point of view, I understand it is annoying that the option inheritance is so inconsistent.

From the internal point of view, it is not so easy to be consistent without some refactoring. It would be nice if we used some options structure instead of hardcoding reading of the configuration attributes when a domain is instantiated and then flagged options that can be overriden by the subdomain. So to achieve the nice inheritance in some systematic way, refactoring is needed..

I understand. The organization ( close to 1000 RHEL systems ) I work for moves out from Linux hosted LDAP to AD. It is becoming an issue when users connect to a proprietary database that we run. So right now we are looking into workarounds to handle this issue, but all of them so far are just nasty ones...
Thank you for your response, I hope to see this feature added at some point, it would get rid of one of not many roadblocks that we have hit during this project.
Mike

Login to comment on this ticket.

Metadata