On Fri, 12 Feb 2016, w...@dds.nl wrote:
Hi all,
Yes, you can filter out certain SIDs--> I tried, but cannot get it to
work. For example, I don't need "Domain Users":
Found out the SID by:
[root@suacri10103 ~]# getent group domain\ us...@ad.example.org
domain us...@example.org:*:1012600513:someu...@ad.example.org
[root@suacri10103 ~]# ldbsearch -H
/var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 |
grep objectSIDString
asq: Unable to register control with rootdse!
objectSIDString: S-1-5-21-1447349426-2906170142-3196411423-513
and put the SID in the blacklist; yes it is blacklisted:
admin01@ipa ~]$ ipa trust-show ad.example.com --all | grep "SID
blacklist incoming"
SID blacklist incoming: S-1-5-20,
S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2,
S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11,
S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
However, the group is still there if I do a n "id
someu...@ad.example.com" (yep, whiped cache, restarted ipa etc.)
Shouldn't the group be disappeared since the SID is blacklisted...?
Only from Kerberos tickets. I don't think SSSD in ipa_server_mode
consults this list. Instead, when AD users logins with Kerberos ticket,
the resulting ticket already has blacklisted SIDs filtered out by IPA
KDC and SSSD will see that these tickets' MS-PAC doesn't have additional
groups in it.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
