[Freeipa-users] Active Directory Trust = filter users
Jakub Hrozek
jhrozek at redhat.com
Fri Feb 12 18:12:21 UTC 2016
On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote:
> On Fri, 12 Feb 2016, wdh at dds.nl wrote:
> >Hi all,
> >
> >Yes, you can filter out certain SIDs--> I tried, but cannot get it to
> >work. For example, I don't need "Domain Users":
> >
> >Found out the SID by:
> >
> >[root at suacri10103 ~]# getent group domain\ users at ad.example.org
> >domain users at example.org:*:1012600513:someuser at ad.example.org
> >[root at suacri10103 ~]# ldbsearch -H
> >/var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 |
> >grep objectSIDString
> >asq: Unable to register control with rootdse!
> >objectSIDString: S-1-5-21-1447349426-2906170142-3196411423-513
> >
> >and put the SID in the blacklist; yes it is blacklisted:
> >
> >admin01 at ipa ~]$ ipa trust-show ad.example.com --all | grep "SID blacklist
> >incoming"
> > SID blacklist incoming: S-1-5-20,
> >S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2, S-1-5-1,
> >S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16,
> >S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> >S-1-1, S-1-0, S-1-5-19, S-1-5-18
> >
> >However, the group is still there if I do a n "id someuser at ad.example.com"
> >(yep, whiped cache, restarted ipa etc.)
> >
> >Shouldn't the group be disappeared since the SID is blacklisted...?
> Only from Kerberos tickets. I don't think SSSD in ipa_server_mode
> consults this list. Instead, when AD users logins with Kerberos ticket,
> the resulting ticket already has blacklisted SIDs filtered out by IPA
> KDC and SSSD will see that these tickets' MS-PAC doesn't have additional
> groups in it.
Alexander, do you think this would make a reasonable RFE?
More information about the Freeipa-users
mailing list