On Thu, Feb 20, 2020, at 4:31 PM, Eugene Vilensky wrote: > > Greetings, > > My company restricts which AD entities have access to a Domain User's > MemberOf attribute. This is done precisely as described by this > institution here: > https://itconnect.uw.edu/wares/msinf/design/arch/group-member-privacy/ > > Self can read own MemberOf. > > We've never seen an impact on Windows clients. > > However for SSSD the effect is obvious: "Domain Users" is the only > Group returned. It appears to be that SSSD uses the permissions of the > Computer account for this operation. > > Is there any configurable alternative to use the User's own permissions > to resolve MemberOf on a user? >
I think this info is also in the PAC. I wonder if enabling the pac responder would help... V/r, James Cassell _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
