On Wed, Jan 28, 2015 at 03:27:44PM +0100, Jakub Hrozek wrote:
> On Wed, Jan 28, 2015 at 03:05:00PM +0100, Sumit Bose wrote:
> > Hi,
> >
> > another issue found by Steeve during testing. To reproduce this you need
> > a universal group with members from different domains. Then either look
> > up the group by SID e.g. with
> >
> > python -c "import pysss_nss_idmap; print
> > pysss_nss_idmap.getnamebysid('S-1-5-21-3456664713-2053453454-4165325232-1234')"
> >
> > and then with getent group groupname.
> >
> > Or use IPA views, override the group name in the 'default trust view'
> > on the IPA server and look up the group by the overridden name. In both
> > case the group should not already be in the cache. Only members from the
> > domain of the group should be show without the patch.
> >
> > bye,
> > Sumit
>
> The patch is correct, but I'm worried about the implications. What kind
> of requests by SID does the server receive? Do we also resolve requests
> for users by SID? In that case, we might be surprised that some POSIX
> attributes are not available in GC..
good point, I'm working on a group only alternative.
bye,
Sumit
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
