On Fri, 12 Feb 2016, w...@dds.nl wrote:
Hi all,

Yes, you can filter out certain SIDs--> I tried, but cannot get it to work. For example, I don't need "Domain Users":

Found out the SID by:

[root@suacri10103 ~]# getent group domain\ us...@ad.example.org
domain us...@example.org:*:1012600513:someu...@ad.example.org
[root@suacri10103 ~]# ldbsearch -H /var/lib/sss/db/cache_ipa.ad%s/example.org.ldb gidNumber=1012600513 | grep objectSIDString
asq: Unable to register control with rootdse!
objectSIDString: S-1-5-21-1447349426-2906170142-3196411423-513

and put the SID in the blacklist; yes it is blacklisted:

admin01@ipa ~]$ ipa trust-show ad.example.com --all | grep "SID blacklist incoming" SID blacklist incoming: S-1-5-20, S-1-5-21-1447349426-2906170142-3196411423-513, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

However, the group is still there if I do a n "id someu...@ad.example.com" (yep, whiped cache, restarted ipa etc.)

Shouldn't the group be disappeared since the SID is blacklisted...?
Only from Kerberos tickets. I don't think SSSD in ipa_server_mode
consults this list. Instead, when AD users logins with Kerberos ticket,
the resulting ticket already has blacklisted SIDs filtered out by IPA
KDC and SSSD will see that these tickets' MS-PAC doesn't have additional
groups in it.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to