On pe, 16 elo 2019, Martijn Bakkes via FreeIPA-users wrote:
because domain local groups should not be mappable, for sure.
You're saying our IdM is functioning in a technically impossible way?
Please show logs, that's all I'm saying, before coming to any conclusion.
Below is the filtering logic within SSSD:
/* Only security groups from AD are considered for POSIX groups. * Additionally only global and universal group are taken to account * for trusted domains. */ if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) || (IS_SUBDOMAIN(dom) && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { DEBUG(SSSDBG_TRACE_FUNC, "Filtering AD group [%s].\n", group_name);
*_need_filter = true; }