Ok, will do.
O.
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 18 September 2015 11:42
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] Tokengroups usage
On Fri, Sep 18, 2015 at 09:38:19AM +0000, Ondrej Valousek wrote:
I understand the purpose of tokengroups.
What I still do not understand is why I should be concerned about my domain controller OS
version. Topengroups should be working anyway right?
We used to support them only with 2008+ DCs initially.
From the man page I see that if you have newer DC, you should disable
this functionality (but why?????)
Because with older DCs it wouldn't be used anyway. But we recently also started using
TGs with 2003 DC but we forgot to update the manpage:
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=5c2f2023696d1ff79c3...
Feel free to open a ticket so that we fix the manpage.
O.
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub
Hrozek
Sent: 18 September 2015 11:35
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] Tokengroups usage
On Fri, Sep 18, 2015 at 10:13:42AM +0100, John Hodrien wrote:
> On Fri, 18 Sep 2015, Ondrej Valousek wrote:
>
> >Nope,
> >See the last sentence:
> >"When connected to Active-Directory Server 2008 and later it is
> >furthermore required to disable usage of Token-Groups by setting
ldap_use_tokengroups to false"
> >
> >I understand it the way that if you have a newer DC, you need to disable
tokengroups usage.
>
> *If* you want to disable nested group processing, then yes, you need
> to disable both.
Correct. The reason is that the tokenGroups operation returns a list of SIDs the user is
a member of, without us knowing which are direct memberships and which are indirect.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.