On Thu, Oct 3, 2019, at 9:15 PM, Alex Perl wrote:
Implemented AD/KRB/SSSD with both RH6 and RH7.
RH7 no issues, as we are using auto_private_groups that was added to 1.16.1.
In RH6 the issue ( sssd 1.13 ) is, that all users getting the same
groups and it is a clear security gap.
The only way to avoid this, based on the KB articles, is to use AD
posix attributes. If we don't waht to use this setup, is there any
other recommended way ?
In my experience, even with AD POSIX attributes where a GID is assigned to the user, the
group name does not resolve without auto_private_groups unless there is an associated an
AD group with the same GID. In my example, we assigned uid=gid attributes unique to each
user.
Probably the best way to close the security gap on RH6 is to enforce a umask of 077.
The example of user/group representation, where all users getting the
same gid=273200513(domain users) :
id username uid=2755191114(ncircle) gid=273200513(domain users)
groups=273200513(domain users)
V/r,
James Cassell