On Thu, Mar 19, 2020 at 08:52:51AM +0100, Jannis Mann wrote:
Hi Sumit,
I saw that option the moment I've sent this mail. Unfortunately we've a lot
of ubuntu 16.04 and debian 9 machines where 1.16 doesn't run. It is not
planned to upgrade these machines anytime soon.
Is there another possibility to achieve this?
Hi,
not really.
Since you say the primary group is called 'Domain Users' I assume you
are using AD. With AD SSSD can derived UIDs and GIDs automatically from
the SID of the AD objects with 'ldap_id_mapping = True' (see man
sssd-ldap for details. With this users will get private primary groups
automatically, but all UIDs and GIDs on your systems will change.
The alternative would be to change the primary group for all users in
AD.
bye,
Sumit
Thanks :)
Am Do., 12. März 2020 um 11:19 Uhr schrieb Sumit Bose <sbose(a)redhat.com>:
> On Thu, Mar 12, 2020 at 09:26:49AM +0100, Jannis Mann wrote:
> > Hi,
> >
> > I've sssd running with ldap provider and therefore use a binding account.
> >
> > In general everything works. I've a question regarding the primary group.
> >
> > When I login with any user who I permitted to in the sssd.conf all users
> > have the Domain Users gorup as primary group.
> >
> > So if I create a file with User a ownership is UserA:Domain\ Users
> > Same goes for UserB etc.
> >
> > Can I have influence on the primary group of the sssd users? Because this
> > seems quite insecure for me. Because I use different permissions for
> > different users (configured via sudoers files). But if every user is in
> the
> > same group..
>
> Hi,
>
> recent versions of SSSD have the option 'auto_private_groups', please
> check the sssd.conf man page if this option is available for your
> version and if yes you can find more details their as well.
>
> If this option is not listed in your man page you can check
>
https://mzidek.fedorapeople.org/sssd/2.2.3/man/sssd.conf.5.html if it
> might be worth to upgrade?
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks for your input!
> >
> > Jannis
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...