Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MAN: Add note about AD Group types #6263

Closed
wants to merge 1 commit into from
Closed

MAN: Add note about AD Group types #6263

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 15 additions & 0 deletions src/man/sssd-ad.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,21 @@ ldap_id_mapping = False
case-insensitive in the AD provider for compatibility with Active
Directory's LDAP implementation.
</para>
<para>
SSSD only resolves Active Directory Security Groups. For more
information about AD group types see:
<ulink
url="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups">
Active Directory security groups</ulink>
</para>
<para>
SSSD filters out Domain Local groups from remote domains in the AD
forest. By default they are filtered out e.g. when following a
nested group hierarchy in remote domains because they are not valid
in the local domain. This is done to be in agreement with Active
Directory's group-membership assignment which can be seen in
the PAC of the Kerberos ticket of a user issued by Active Directory.
</para>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I think Security-enabled is not common Active Directory speak in this context. I would suggest something like SSSD only resolves Active Directory Security Groups (since Security Group is used in AD User and Computers in the user and group listing) or SSSD only resolves Active Directory groups of group type "Security"(since this is shown in the properties of a group). @abbra, do you agree or do you have other suggestions?

We already have a reference to MSFT documentation in the sssd-ad man page, so I think it might worth to add https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups here as well.

bye,
Sumit

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer Security Groups but you need to add more details around 'Domain-Local' scope, I think. It becomes a bit complex to explain ;)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thanks, adding some info about how domain-local groups are handled is a good idea. @justin-stephenson, can you add it or do you need more context?

bye,
Sumit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is mention of how SSSD handles domain local groups in the option description for ad_allow_remote_domain_local_groups. Is it enough or should it be mentioned in this part as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I would copy the content into this part as well.

bye,
Sumit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, please check. Thank you.

</refsect1>

<refsect1 id='configuration-options'>
Expand Down