[FR] [Kerberos] [Linux] Add SID Claims under Linux when using kerberos auth.

[filimonic]

ActiveDirectory (Windows) specific claims should be added when using Negotiate Kerberos auth under Linux implementation.

primarysid
primarygroupsid
groupsid
denyonlysid

Under Linux, claims described above are currently received using LDAP.
Kerberos has mechanisms to avoid any additional queries to get group SIDs and user SIDs.
However, currently under Linux the only claim receivced without using LDAP is name claim.

[blowdart]

Linking these two together for Jun to investigate #32037

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[gozhang2]

+1 on this request, I am using the Negotiate library in a linux setup as well but by default there is only the name claim available, we have to make additional LDAP query to get the primarysid claim.

BTW can you please share how the name claim is formed? Based on my experiment it is <sAMAccountName>@<domain>, is this correct?

Your help is much appreciated!

[JunTaoLuo]

Yes that is the format we expect for name.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.