Hi all,

Yes, you can filter out certain SIDs--> I tried, but cannot get it to work. For example, I don't need "Domain Users":

Found out the SID by:

[root@suacri10103 ~]# getent group domain\ us...@ad.example.org
domain us...@example.org:*:1012600513:someu...@ad.example.org
[root@suacri10103 ~]# ldbsearch -H /var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 | grep objectSIDString
asq: Unable to register control with rootdse!
objectSIDString: S-1-5-21-1447349426-2906170142-3196411423-513

and put the SID in the blacklist; yes it is blacklisted:

admin01@ipa ~]$ ipa trust-show ad.example.com --all | grep "SID blacklist incoming" SID blacklist incoming: S-1-5-20, S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

However, the group is still there if I do a n "id someu...@ad.example.com" (yep, whiped cache, restarted ipa etc.)

Shouldn't the group be disappeared since the SID is blacklisted...?


Alexander Bokovoy schreef op 10-02-2016 13:46:
On Wed, 10 Feb 2016, Winfried de Heiden wrote:
Hi all,

"hy are you concerned about this in the first place? "

It started from a practical point of view: if one is using the DC of the Office Automation, Ad users will get all sorts of AD groups I am never going to use. so why do I want to see them anyway? My screen get's a bit messy as for "u...@ad.example.com"  when this user belongs tot 25 or something groups... It
would be nice to hide these...

Can I blacklist some of the groups? (Trusts  --> ad.example.com --> Settings)
by using the SID?
Yes, you can filter out certain SIDs at the KDC side by using settings
of the trust. Theoretically, SSSD would need to remove the group
membership for groups not existing in the MS-PAC.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to