DescriptionAlexey Tikhonov
2022-10-11 15:23:51 UTC
Example workflow:
- SSSD client is enrolled into AD domain (Token-Groups are enabled)
- `id $user` is executed
- initgroups() is called for this user
- during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete"
- as a next step `id` calls getgrnam() for every group in initgroups() list
- since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide any new information. "Incomplete" groups could be used instead.
This is just an example workflow. There are probably other use cases.
Pushed PR: https://github.com/SSSD/sssd/pull/6775
* `master`
* 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b - SYSDB: in case (ignore_group_members == true) group is actually complete
* `sssd-2-9`
* d3c3408e0ef1df13c8c4d7fb6dc394fdb9a0886c - SYSDB: in case (ignore_group_members == true) group is actually complete
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:6644