Bug 1391064

Summary: MAN: Document AD provider uses tokengroups by default
Product: Red Hat Enterprise Linux 7 Reporter: Ming Davies <minyu>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sssd-qe
Target Milestone: pre-dev-freeze   
Target Release: 7.4   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.15.0-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:00:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ming Davies 2016-11-02 13:56:26 UTC 
Description of problem:
AD provider uses tokengroups by default but it's unclear from the man page that this is the case.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Jakub Hrozek 2016-11-07 15:06:09 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3233
Comment 5 Lukas Slebodnik 2016-11-11 09:41:32 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3214
Comment 6 Jakub Hrozek 2016-11-17 08:49:22 UTC 
master:
6e27e8572f671de575d9ac2a34a677d9efc24fbc
8caf7ba5005b3be5447311713ad2b58169f9d32f
Comment 8 Dan Lavu 2017-05-31 20:59:40 UTC 
Verified against sssd-1.15.2-33.el7.x86_64

ldap_id_mapping (boolean)

Specifies that SSSD should attempt to map user and group IDs from the ldap_user_objectsid and ldap_group_objectsid attributes instead of relying on ldap_user_uid_number and ldap_group_gid_number.

Currently this feature supports only ActiveDirectory objectSID mapping.

Default: false



krb5_validate (boolean)

Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. The keytab is checked for entries sequentially, and the first entry with a matching realm is used for validation. If no entry matches the realm, the last entry in the keytab is used. This process can be used to validate environments using cross-realm trust by placing the appropriate keytab entry as the last entry or the only entry in the keytab file.
Comment 9 errata-xmlrpc 2017-08-01 09:00:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294