[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?

[Alex Perl]

Hi James, 

Thanks for the update. 
Not sure, how auto_private_groups can resolve GID, if for RH6/SSSD1.13 this 
attribute has no impact. It does the work quit well for RH7.3 and up, without 
any additional settings. 

Can you please elaborate more: "In my example, we assigned uid=gid attributes 
unique to each user."



___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?

[Alex Perl]

Implemented AD/KRB/SSSD with both RH6 and RH7. 

RH7 no issues, as we are using auto_private_groups that was added to 1.16.1. 

In RH6 the issue ( sssd 1.13 ) is, that all users getting the same groups and 
it is a clear security gap. 

The only way to avoid this, based on the KB articles, is to use AD posix 
attributes. If we don't waht to use this setup, is there any other recommended 
way ?

The example of user/group representation, where all users getting the same  
gid=273200513(domain users) :

id username uid=2755191114(ncircle) gid=273200513(domain users) 
groups=273200513(domain users)
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org