MAN: Add note about AD Group types

Linux admins/users may not know that the AD distribution group type is intended only for email. Per microsoft: Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs).
SSSD · Aug 29, 2022 · 6749df2 · 6749df2
1 parent c4a26eb
commit 6749df2
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
@@ -109,6 +109,21 @@ ldap_id_mapping = False
             case-insensitive in the AD provider for compatibility with Active
             Directory's LDAP implementation.
         </para>
+        <para>
+            SSSD only resolves Active Directory Security Groups. For more
+            information about AD group types see:
+            <ulink
+            url="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups">
+            Active Directory security groups</ulink>
+        </para>
+        <para>
+            SSSD filters out Domain Local groups from remote domains in the AD
+            forest. By default they are filtered out e.g. when following a
+            nested group hierarchy in remote domains because they are not valid
+            in the local domain. This behavior is dependent on the value for
+            the <quote>ad_allow_remote_domain_local_groups</quote> option
+            listed above.
+        </para>
     </refsect1>
 
     <refsect1 id='configuration-options'>