(I was going to let those more in-depth knowledgeable in sssd answer this, but I'm not seeing any such answers.)
This will not bo a problem -- for multiple reasons. The first is that when searching AD for a specified user name, sssd is searching for a "user" object. A computer object is not a user object. You can verify this for yourself by doing a 'getent -s sss group <AD_group>'. It will list only user objects under that group and often only some of these (see below). Secondly, where sssd finds an AD user objects depends additionally on what type of LDAP user mapping you're doing. For instance, we do RFC2307bis AD schema extension, where we have to specify additional LDAP attributes for an account. Attributes like the UID, primary GID, login shell, gecos, home directory. Without those additional attributes set on a user object, sssd will not report the user object. So in the 'getent -s sss group <AD group>' above, sssd will report only the members that are user objects and have those additional LDAP attributes filled in. Spike White On Thu, Jul 3, 2025 at 5:45 PM Yehuda Katz via sssd-users < sssd-users@lists.fedorahosted.org> wrote: > We are using SSSD to connect RHEL systems to Microsoft Active Directory. > Access is granted to groups using the `simple_allow_groups` option and > those groups are also used to allow sudo access. > Some of these groups have members that are the computer accounts for other > computers in the domain. > > Should that be considered a security risk? For example, could someone with > root access on one system recover the computer account information and use > that computer account to log in to a different system? > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
