URL:
https://github.com/SSSD/sssd/pull/616
Title: #616: become_user: add supplementary groups so ad provider can access keytab
sumit-bose commented:
"""
Thank you for the patch it looks quite interesting.
I wonder if you wouldn't be able to achieve the same by setting the primary group of
the _sssd user to _keytab?
Additionally if you think that a secondary group is really necessary I think it would be
better to add a config option for this so that you can add e.g. to the [domain/...]
section 'secondary_gid = 12345'. This way /etc/group (where is _sssd user is added
to the _keytab group) is not a required part of the SSSD configuration and the
initgroups() call can be avoided because it might be expensive at some places where
become_user() is called.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/616#issuecomment-404270980