On Wed, Jan 27, 2016 at 4:07 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:

> On Tue, Jan 26, 2016 at 05:50:06PM -0500, James Ralston wrote:
>
> > It's a long story, but what we are trying to do here is to take
> > regular snapshots of our AD users and groups, and sssd's
> > getpwnam()/getgrnam() mapping is the perfect way to do it.  I
> > think I understand why distribution groups are filtered by default
> > (they're not security-enabled in AD, and can't be used in Windows
> > ACLs), but in this one particular case, we really do want to be
> > able to enumerate every single group.
>
> can you try setting:
>     ldap_group_type = nosuchattr
> ?
>
> That should trick sssd into not seeing the group type at all and
> would avoid filtering I guess (not tested).

Unfortunately, this doesn't work: if sssd can't determine the group
type, it filters ALL groups, instead of filtering no groups.

Hmmm.  If sssd can't determine the group type, wouldn't it be better
to filter no groups, instead of all groups?  Because filtering all
groups is essentially the same thing as disabling group lookups
entirely.  That doesn't seem like the best behavior to choose.

Then again, maybe a cleaner approach would be to add a
ldap_group_filtering option, and make the default value true (filter
groups that aren't security groups)?  Tricking sssd by telling it to
look at the wrong field for the group type seems like a hack.  :-(