URL:
https://github.com/SSSD/sssd/pull/616
Title: #616: become_user_ex: add supplementary groups so ad provider can access keytab
sumit-bose commented:
"""
Hi,
after rethinking the original issue (keytab access with AD provider) I think the PR is not
the best way to solve it. The issue happens when SSSD discovers other domains in the
forest at runtime where it wants to check if suitable keys can be found in the keytab.
This is the same operation which was already done at startup where SSSD's backend
process was still running as root. So instead of checking the keytab directly again it
would be easier to check if the configured domain already has the needed information read
from the keytab and continue without accessing the keytab again.
In the long run we might even switch to use gss-proxy so that SSSD does not need to access
the keytab directly in this code area.
Given that I'll close the PR.
bye,
Sumit
"""
See the full comment at
https://github.com/SSSD/sssd/pull/616#issuecomment-769133733