What do you mean when you say "POSIX group" and "non-POSIX group"?
Do you mean that you're using AD (or an LDAP server) with the RFC2307bis schema extension that adds the extra UNIX-y attributes for users and groups? (home dir, uid, gid, gecos, login shell). And that your POSIX groups have these field populated, while your non-POSIX groups don't have these fields populated? Is that what's meant by POSIX and non-POSIX groups? Spike On Thu, Nov 20, 2025 at 8:57 AM dave via sssd-users < [email protected]> wrote: > Hello, > > We are trying to test sssd for our Linux environment. > We are able to join the AD domain using `realm` and, with a few tweaks, > can authenticate users and find groups. (when both user/groups are > POSIX-compliant) > > I was able to do group-based access with > access_provider = simple > simple_allow_groups = some_posix_ad_group_name > > Not all of our AD groups are POSIX-compliant; most are regular AD groups. > > I want to try to mimic the same group access behavior, but for non-posix > groups. Meaning if a user is a member of a non-POSIX group, then allow > access. > Is this possible? > > This is how far ive gotten on my sssd.conf: > > [sssd] > domains = mydomain.com, my_app_domain > config_file_version = 2 > services = nss, pam, ssh > [domain/mydomain.com] > ad_site = my-site-name > default_shell = /bin/bash > krb5_store_password_if_offline = True > cache_credentials = True > krb5_realm = MYDOMAIN.COM > realmd_tags = manages-system joined-with-adcli > id_provider = ad > fallback_homedir = /home/%u > ad_domain = mydomain.com > use_fully_qualified_names = False > ldap_id_mapping = False > access_provider = ad > shell_fallback = /bin/bash > ldap_schema = ad > ldap_search_base = OU=People,DC=mydomain,DC=com > ldap_user_object_class = person > ldap_user_name = SamAccountName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_home_directory = unixHomeDirectory > ldap_user_shell = loginShell > ldap_user_gecos = displayName > ad_gpo_access_control = enforcing > [application/my_app_domain] > domain_type = application > inherit_from = mydomain.com > [pam] > pam_app_services = non_posix_ad_group_name > > Any input is much appreciated! > > Best, > Dave > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
