On Fri, 2011-06-24 at 09:54 -0400, Stephen Gallagher wrote:
New patches attached with some significant changes. After much
discussion, we decided that, rather than implement a facility for
identifying "unresolved groups" for the user, we would instead perform
a
group lookup during the initial pull-down of the HBAC rules. This way,
we know that all groups that are relevant to HBAC rules are available
on
the system. So if a user is a member of a group that is not
resolvable,
we don't have to worry that it might match a DENY rule.
NACK
New patches fail to take in account non-posix groups.
Simo.
--
Simo Sorce * Red Hat, Inc * New York