Yes, you can filter out certain SIDs--> I tried, but cannot get it to
work. For example, I don't need "Domain Users":
Found out the SID by:
[root@suacri10103 ~]# getent group domain\ us...@ad.example.org
[root@suacri10103 ~]# ldbsearch -H
/var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 |
asq: Unable to register control with rootdse!
and put the SID in the blacklist; yes it is blacklisted:
admin01@ipa ~]$ ipa trust-show ad.example.com --all | grep "SID
SID blacklist incoming: S-1-5-20,
S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2,
S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17,
S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
However, the group is still there if I do a n "id
someu...@ad.example.com" (yep, whiped cache, restarted ipa etc.)
Shouldn't the group be disappeared since the SID is blacklisted...?
Alexander Bokovoy schreef op 10-02-2016 13:46:
On Wed, 10 Feb 2016, Winfried de Heiden wrote:
"hy are you concerned about this in the first place? "
It started from a practical point of view: if one is using the DC of
Automation, Ad users will get all sorts of AD groups I am never going
so why do I want to see them anyway? My screen get's a bit messy as
"u...@ad.example.com" when this user belongs tot 25 or something
would be nice to hide these...
Can I blacklist some of the groups? (Trusts --> ad.example.com -->
by using the SID?
Yes, you can filter out certain SIDs at the KDC side by using settings
of the trust. Theoretically, SSSD would need to remove the group
membership for groups not existing in the MS-PAC.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project