On Sun, 2012-04-22 at 17:27 -0400, Simo Sorce wrote: > On Sun, 2012-04-22 at 15:10 -0400, Stephen Gallagher wrote: > > Ok, I just hit a snag and I'm not sure how best to proceed. All users on > > a POSIX system need to have a default GID value, which in most cases is > > mapped to a user-private group to help avoid accidental permission-leaks > > when that user creates files. > > > > However, when mapping a user from Active Directory's objectSID, we don't > > have an obvious group to which we can map the primaryGID. I'm not sure > > how best to proceed here. > > Why can't you use the Primary-Group-ID attribute ? >
I was confused about that. It looked like it was a POSIX attribute that I couldn't rely on. It appears I was mistaken. It's a bit annoying, though. As near as I can tell, it's just the RID portion of the objectSID of the group. So I should be able to just take the minimum value of the domain and add this value to it to generate the mapped ID. > > One option is to map users' primaryGID to the special group "Domain > > Users" to which all AD users belong, but that runs the risk of > > reintroducing the above-mentioned permission leaks. I don't really have > > any other ideas here, though. Recommendations welcome. > > I think a good idea would also be to fake up a primary group that has > the same name as the user and same numerical id. This would be the best > mapping, I wish we had done that in samba many years ago. > > However you may need to make that conditional and go back to use the > Primary-Group-ID if you want to interoperate with samba as samba will > take the primary group SID and reverse map that to a gid for the user. This would be a nice thing to have, but it's out of scope for my current efforts. Please file an RFE and we'll look into it for a future release.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
