Ok, I just hit a snag and I'm not sure how best to proceed. All users on a POSIX system need to have a default GID value, which in most cases is mapped to a user-private group to help avoid accidental permission-leaks when that user creates files.
However, when mapping a user from Active Directory's objectSID, we don't have an obvious group to which we can map the primaryGID. I'm not sure how best to proceed here. One option is to map users' primaryGID to the special group "Domain Users" to which all AD users belong, but that runs the risk of reintroducing the above-mentioned permission leaks. I don't really have any other ideas here, though. Recommendations welcome.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
