On Sun, Apr 22, 2012 at 08:07:56PM -0400, Stephen Gallagher wrote: > On Sun, 2012-04-22 at 17:27 -0400, Simo Sorce wrote: > > On Sun, 2012-04-22 at 15:10 -0400, Stephen Gallagher wrote: > > > Ok, I just hit a snag and I'm not sure how best to proceed. All users on > > > a POSIX system need to have a default GID value, which in most cases is > > > mapped to a user-private group to help avoid accidental permission-leaks > > > when that user creates files. > > > > > > However, when mapping a user from Active Directory's objectSID, we don't > > > have an obvious group to which we can map the primaryGID. I'm not sure > > > how best to proceed here. > > > > Why can't you use the Primary-Group-ID attribute ? > > > > I was confused about that. It looked like it was a POSIX attribute that > I couldn't rely on. It appears I was mistaken. It's a bit annoying, > though. As near as I can tell, it's just the RID portion of the > objectSID of the group. So I should be able to just take the minimum > value of the domain and add this value to it to generate the mapped ID.
yes, it is the RID. Since one of the goals here is to be featear compatible with nss-pam-ldapd it might make sense to see how this is handled there. But I would expect it does just the same. bye, Sumit > > > > One option is to map users' primaryGID to the special group "Domain > > > Users" to which all AD users belong, but that runs the risk of > > > reintroducing the above-mentioned permission leaks. I don't really have > > > any other ideas here, though. Recommendations welcome. > > > > I think a good idea would also be to fake up a primary group that has > > the same name as the user and same numerical id. This would be the best > > mapping, I wish we had done that in samba many years ago. > > > > However you may need to make that conditional and go back to use the > > Primary-Group-ID if you want to interoperate with samba as samba will > > take the primary group SID and reverse map that to a gid for the user. > > This would be a nice thing to have, but it's out of scope for my current > efforts. Please file an RFE and we'll look into it for a future release. > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
