On Wed, 08 Oct 2014, Loris Santamaria wrote:
El mar, 07-10-2014 a las 20:01 -0400, Dmitri Pal escribió:

The users and related information are not fetched until you
authenticate as this user.
The ability to fetch users and groups that are not yet authenticated
is tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and
will be addressed in the next version of SSSD.
How frequently do you really need to lookup unauthenticated AD users
and AD groups on linux systems? What is the use case?

The ticket above is for the cases when there is an application that
needs to fetch the user so that admin of the application can assign
privileges to this user. But this is a pretty corner case.

It is a pretty common request when you configure a proxy server with
authentication. You get the user's ticket but the user is not logged in
on the system, so normal group membership via sssd won't work.
If you get a user's ticket, you'd get MS-PAC in it, at least for AD
and FreeIPA users when ipa-adtrust-install was run. That gives you full
list of groups the user member of at the moment when TGT was issued.
SSSD supports it already.

What was poorly supported is the case of looking up groups of an AD user
who never logged in. In that case SSSD did miss some of groups obtaining
which required expensive traversal over AD DCs beyond Global Catalog

This should be now better supported with 1.12.2.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to