On Wed, Jan 28, 2015 at 03:05:00PM +0100, Sumit Bose wrote:
> Hi,
>
> another issue found by Steeve during testing. To reproduce this you need
> a universal group with members from different domains. Then either look
> up the group by SID e.g. with
>
> python -c "import pysss_nss_idmap; print
> pysss_nss_idmap.getnamebysid('S-1-5-21-3456664713-2053453454-4165325232-1234')"
>
> and then with getent group groupname.
>
> Or use IPA views, override the group name in the 'default trust view'
> on the IPA server and look up the group by the overridden name. In both
> case the group should not already be in the cache. Only members from the
> domain of the group should be show without the patch.
>
> bye,
> Sumit
The patch is correct, but I'm worried about the implications. What kind
of requests by SID does the server receive? Do we also resolve requests
for users by SID? In that case, we might be surprised that some POSIX
attributes are not available in GC..
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
