Title: #616: become_user: add supplementary groups so ad provider can access
On Wed, Jul 11, 2018 at 11:42:44AM -0700, sumit-bose wrote:
> Thank you for the patch it looks quite interesting.
> I wonder if you wouldn't be able to achieve the same by setting the primary
> group of the _sssd user to _keytab?
This would be my preference too. Or owning the keytab by
keytab.sssd. Alternatively, could the keytab file allow the sssd user to
read the contents with a POSIX ACL? (setfacl -m u:sssd:r /etc/krb5.keytab)
> Additionally if you think that a secondary group is really necessary I
> think it would be better to add a config option for this so that you can add
> e.g. to the [domain/...] section 'secondary_gid = 12345'. This way /etc/group
> (where is _sssd user is added to the _keytab group) is not a required part
> of the SSSD configuration
I don't understand this part, I'm sorry. Do you propose that sssd_be
runs with some supplementary GIDs, but the responders don't? This makes
sense, but in general I'm not sure I like constructing some artificial
> and the initgroups() call can be avoided because
> it might be expensive at some places where become_user() is called.
This is a fair comment, although storing the sssd user in a remote
directory (which is realistically the only setup which might be slow)
doesn't strike me as the best idea.
See the full comment at
sssd-devel mailing list -- firstname.lastname@example.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines