[Freeipa-users] domain trust linux to AD server not finding user profiles

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 8 13:36:55 UTC 2014

On Wed, 08 Oct 2014, Loris Santamaria wrote:
>El mar, 07-10-2014 a las 20:01 -0400, Dmitri Pal escribió:
>> The users and related information are not fetched until you
>> authenticate as this user.
>> The ability to fetch users and groups that are not yet authenticated
>> is tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and
>> will be addressed in the next version of SSSD.
>> How frequently do you really need to lookup unauthenticated AD users
>> and AD groups on linux systems? What is the use case?
>> The ticket above is for the cases when there is an application that
>> needs to fetch the user so that admin of the application can assign
>> privileges to this user. But this is a pretty corner case.
>It is a pretty common request when you configure a proxy server with
>authentication. You get the user's ticket but the user is not logged in
>on the system, so normal group membership via sssd won't work.
If you get a user's ticket, you'd get MS-PAC in it, at least for AD
and FreeIPA users when ipa-adtrust-install was run. That gives you full
list of groups the user member of at the moment when TGT was issued.
SSSD supports it already.

What was poorly supported is the case of looking up groups of an AD user
who never logged in. In that case SSSD did miss some of groups obtaining
which required expensive traversal over AD DCs beyond Global Catalog

This should be now better supported with 1.12.2.

/ Alexander Bokovoy

More information about the Freeipa-users mailing list