[Freeipa-users] Active Directory Trust = filter users
wdh at dds.nl
wdh at dds.nl
Fri Feb 12 11:15:25 UTC 2016
Hi all,
Yes, you can filter out certain SIDs--> I tried, but cannot get it to
work. For example, I don't need "Domain Users":
Found out the SID by:
[root at suacri10103 ~]# getent group domain\ users at ad.example.org
domain users at example.org:*:1012600513:someuser at ad.example.org
[root at suacri10103 ~]# ldbsearch -H
/var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 |
grep objectSIDString
asq: Unable to register control with rootdse!
objectSIDString: S-1-5-21-1447349426-2906170142-3196411423-513
and put the SID in the blacklist; yes it is blacklisted:
admin01 at ipa ~]$ ipa trust-show ad.example.com --all | grep "SID
blacklist incoming"
SID blacklist incoming: S-1-5-20,
S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2,
S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17,
S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
However, the group is still there if I do a n "id
someuser at ad.example.com" (yep, whiped cache, restarted ipa etc.)
Shouldn't the group be disappeared since the SID is blacklisted...?
Winny
Alexander Bokovoy schreef op 10-02-2016 13:46:
> On Wed, 10 Feb 2016, Winfried de Heiden wrote:
>> Hi all,
>>
>> "hy are you concerned about this in the first place? "
>>
>> It started from a practical point of view: if one is using the DC of
>> the Office
>> Automation, Ad users will get all sorts of AD groups I am never going
>> to use.
>> so why do I want to see them anyway? My screen get's a bit messy as
>> for
>> "user at ad.example.com" when this user belongs tot 25 or something
>> groups... It
>> would be nice to hide these...
>>
>> Can I blacklist some of the groups? (Trusts --> ad.example.com -->
>> Settings)
>> by using the SID?
> Yes, you can filter out certain SIDs at the KDC side by using settings
> of the trust. Theoretically, SSSD would need to remove the group
> membership for groups not existing in the MS-PAC.
More information about the Freeipa-users
mailing list