[Freeipa-users] Active Directory Trust = filter users
Alexander Bokovoy
abokovoy at redhat.com
Fri Feb 12 11:29:47 UTC 2016
On Fri, 12 Feb 2016, wdh at dds.nl wrote:
>Hi all,
>
>Yes, you can filter out certain SIDs--> I tried, but cannot get it to
>work. For example, I don't need "Domain Users":
>
>Found out the SID by:
>
>[root at suacri10103 ~]# getent group domain\ users at ad.example.org
>domain users at example.org:*:1012600513:someuser at ad.example.org
>[root at suacri10103 ~]# ldbsearch -H
>/var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 |
>grep objectSIDString
>asq: Unable to register control with rootdse!
>objectSIDString: S-1-5-21-1447349426-2906170142-3196411423-513
>
>and put the SID in the blacklist; yes it is blacklisted:
>
>admin01 at ipa ~]$ ipa trust-show ad.example.com --all | grep "SID
>blacklist incoming"
> SID blacklist incoming: S-1-5-20,
>S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2,
>S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
>S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11,
>S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>
>However, the group is still there if I do a n "id
>someuser at ad.example.com" (yep, whiped cache, restarted ipa etc.)
>
>Shouldn't the group be disappeared since the SID is blacklisted...?
Only from Kerberos tickets. I don't think SSSD in ipa_server_mode
consults this list. Instead, when AD users logins with Kerberos ticket,
the resulting ticket already has blacklisted SIDs filtered out by IPA
KDC and SSSD will see that these tickets' MS-PAC doesn't have additional
groups in it.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list