On Mon, Apr 13, 2015 at 04:47:35PM +0200, Lukas Slebodnik wrote: > ehlo, > > the problem is that with current master and 1.12 the domain local groups > from subdomain are not filtered. > > The 1st patch partially fixes the problem. The name of group is not visible > after "id user", but there is a GID which does not have a name. > BTW without this patch "Distributions groups" needn't be filtered with > disabled > tokengroups. It might explain some cases where groups were missing with > disabled tokengroups. Users might use this bug as a workaround. > > The last patch filter domain local groups from subdomains > while doing initgroups. So there will not be GIDs without name. > > Please try to review patches very soon. So we can fix regression with > domain local groups caused by recent optimalisation of initgroups. > > LS
Seems to work fine: (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_add_incomplete_groups] (0x2000): Group [Denied RODC Password Replication gr...@child.ad.example.com] has mapped gid [577600572] (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_check_ad_group_type] (0x4000): AD group [Denied RODC Password Replication gr...@child.ad.example.com] has type flags 0x80000004. (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_check_ad_group_type] (0x0400): Filtering AD group [Denied RODC Password Replication gr...@child.ad.example.com]. (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_add_incomplete_groups] (0x2000): Adding fake group Denied RODC Password Replication gr...@child.ad.example.com to sysdb The patches look good as well. btw I think we should rename the request sdap_ad_tokengroups_initgr_posix() because for subdomains it's called even if TGs are enabled. ACK CI is pending, I'll push after the CI run finishes. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
