Hi List,
Man sssd-ldap says: " If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false. "
Why is usage of tokengroups not possible with Windows server 2008 or newer? Can someone clarify?
Thanks, Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Hi List,
Man sssd-ldap says: " If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false. "
Why is usage of tokengroups not possible with Windows server 2008 or newer? Can someone clarify?
That's not what it means. If you have tokengroups enabled, you get fully nested group handling as a result.
If you want to disable nested group handling, you have do disable both tokengroups and set ldap_group_nesting_level to 0.
jh
Nope, See the last sentence: "When connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false"
I understand it the way that if you have a newer DC, you need to disable tokengroups usage.
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: 18 September 2015 11:08 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Tokengroups usage
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Hi List,
Man sssd-ldap says: " If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false. "
Why is usage of tokengroups not possible with Windows server 2008 or newer? Can someone clarify?
That's not what it means. If you have tokengroups enabled, you get fully nested group handling as a result.
If you want to disable nested group handling, you have do disable both tokengroups and set ldap_group_nesting_level to 0.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Nope, See the last sentence: "When connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false"
I understand it the way that if you have a newer DC, you need to disable tokengroups usage.
*If* you want to disable nested group processing, then yes, you need to disable both.
jh
On Fri, Sep 18, 2015 at 10:13:42AM +0100, John Hodrien wrote:
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Nope, See the last sentence: "When connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false"
I understand it the way that if you have a newer DC, you need to disable tokengroups usage.
*If* you want to disable nested group processing, then yes, you need to disable both.
Correct. The reason is that the tokenGroups operation returns a list of SIDs the user is a member of, without us knowing which are direct memberships and which are indirect.
I understand the purpose of tokengroups. What I still do not understand is why I should be concerned about my domain controller OS version. Topengroups should be working anyway right?
From the man page I see that if you have newer DC, you should disable this functionality (but why?????) O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 18 September 2015 11:35 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Tokengroups usage
On Fri, Sep 18, 2015 at 10:13:42AM +0100, John Hodrien wrote:
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Nope, See the last sentence: "When connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false"
I understand it the way that if you have a newer DC, you need to disable tokengroups usage.
*If* you want to disable nested group processing, then yes, you need to disable both.
Correct. The reason is that the tokenGroups operation returns a list of SIDs the user is a member of, without us knowing which are direct memberships and which are indirect. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, Sep 18, 2015 at 09:38:19AM +0000, Ondrej Valousek wrote:
I understand the purpose of tokengroups. What I still do not understand is why I should be concerned about my domain controller OS version. Topengroups should be working anyway right?
We used to support them only with 2008+ DCs initially.
From the man page I see that if you have newer DC, you should disable this functionality (but why?????)
Because with older DCs it wouldn't be used anyway. But we recently also started using TGs with 2003 DC but we forgot to update the manpage: https://git.fedorahosted.org/cgit/sssd.git/commit/?id=5c2f2023696d1ff79c3c5d...
Feel free to open a ticket so that we fix the manpage.
O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 18 September 2015 11:35 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Tokengroups usage
On Fri, Sep 18, 2015 at 10:13:42AM +0100, John Hodrien wrote:
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Nope, See the last sentence: "When connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false"
I understand it the way that if you have a newer DC, you need to disable tokengroups usage.
*If* you want to disable nested group processing, then yes, you need to disable both.
Correct. The reason is that the tokenGroups operation returns a list of SIDs the user is a member of, without us knowing which are direct memberships and which are indirect. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Ok, will do. O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 18 September 2015 11:42 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Tokengroups usage
On Fri, Sep 18, 2015 at 09:38:19AM +0000, Ondrej Valousek wrote:
I understand the purpose of tokengroups. What I still do not understand is why I should be concerned about my domain controller OS version. Topengroups should be working anyway right?
We used to support them only with 2008+ DCs initially.
From the man page I see that if you have newer DC, you should disable this functionality (but why?????)
Because with older DCs it wouldn't be used anyway. But we recently also started using TGs with 2003 DC but we forgot to update the manpage: https://git.fedorahosted.org/cgit/sssd.git/commit/?id=5c2f2023696d1ff79c3c5d...
Feel free to open a ticket so that we fix the manpage.
O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 18 September 2015 11:35 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Tokengroups usage
On Fri, Sep 18, 2015 at 10:13:42AM +0100, John Hodrien wrote:
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
Nope, See the last sentence: "When connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false"
I understand it the way that if you have a newer DC, you need to disable tokengroups usage.
*If* you want to disable nested group processing, then yes, you need to disable both.
Correct. The reason is that the tokenGroups operation returns a list of SIDs the user is a member of, without us knowing which are direct memberships and which are indirect. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org