Warning
This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.
Note well: this is at the spitballing stage, so it can all get shot down.
AccountsService takeover
What we’re suggesting as the point of focus for integration is to have SSSD provide a superset of the org.freedesktop.Accounts D-Bus API.
None
The current API offers:
Creation/removal of user accounts.
Enumeration of user accounts which are known to the service.
Currently this resolves to a subset of the local system’s accounts.
Signals broadcast when a user account is added/removed/modified.
Ability to mark the user user account as a “Standard” user or an “Administrator”.
Under the covers, the user is added to or removed from the wheel group, but UID=0 is always considered to be an administrator.
Ability to lock or unlock the user’s account and query its lock status.
Ability to check, set, or reset that the user must change password at next login.
Password can be changed to a new hashed value, as returned by crypt(3) or it can be removed, after which no password is required for login.
Attributes exposed via specific get/set methods and the properties interface:
login name
full name
email
preferred locale
preferred X session name
physical location
home directory pathname
login shell
login frequency
icon/thumbnail filename
the contents of this file are copied to /var/lib/AccountsService/icons/$user
autologin
password hint
None
Local users live in the SSSD local provider’s domain, full creation/removal support.
Local groups are now exposed and managed.
Groups can contain users and other groups.
Enumeration of users defaults to returning those known to the local domain and all identities from other domains that are in SSSD’s cache.
Signals broadcast when a user account or group is added to the local domain’s database, or an entry is added to SSSD’s cache for any other domains. Likewise, signals emitted when knowledge of a user or group is updated or removed from either location.
Local users can be marked as Standard or Administrator accounts, and this information can be retrieved.
[STRIKEOUT:This will add or remove the user from the local wheel group. Some POSIX applications may be confused by this.]
[STRIKEOUT:Users from other domains may also be added or removed from the local wheel group.]
Local user accounts can be locked or unlocked, and their account lock status can be checked.
Local user accounts can have their account flagged to require a password change at the next login.
When the user is part of a non-local domain, this may be known up-front, or it may be discovered as a side-effect of performing an authentication attempt.
Local user accounts can have their password changed to a new clear or hashed value, or removed.
User accounts in non-local domains can have their password changed to a new clear value if the old value is also provided.
Local user accounts have their attributes stored in the database as entry attributes along with the already-kept POSIX attributes, and can be modified.
For user accounts in non-local domains, if an attribute is configured to be writable, its value is fetched from the identity provider only if there is no value for it, for the user, already present in the cache. Because SSSD does not know how to push updated information to identity providers, if the attribute is writable, only the cached value is updated.
API additions useful to non-desktop cases
Some of these look like reasonable extensions to the existing D-Bus APIs, others won’t.
A new method for obtaining a list of SSSD’s domains.
The answer can depend on who’s asking, as reported by the bus.
New methods for creating and deleting local groups, and for adding or removing a local user or group from the list of a local group’s members.
A new method for enumerating the groups known to the local domain and any identities from other domains that are in SSSD’s cache.
[STRIKEOUT:A variation on this method] [STRIKEOUT:An optional argument for this method] A variation on this method which narrows the scope to a specified domain.
[STRIKEOUT:A variation on] [STRIKEOUT:An optional argument for the] An additional user enumeration method which narrows the scope to a specified domain.
A new method for performing authentication checks.
Conceptually similar to the application’s part of a PAM conversation, but explicitly includes the concept of an authentication domain and enough context to tell if we’re asking for a password, an OTP, a smart card PIN, etc.
Can be multi-step.
RHEV-M would likely use this instead of nsswitch+PAM because its users wouldn’t be (and wouldn’t need to be) complete POSIX users.
A user’s secondary identities, if serviced by a mechanism that SSSD can/will/does support, can also be authenticated here, though it would generally only be useful to do so if authentication provided some sort of SSO credential for SSSD to manage on the user’s behalf.
A new method for performing password changes.
[STRIKEOUT:As above, conceptually similar to the application’s part of a PAM conversation, again including the concept of an authentication domain.]
[STRIKEOUT:Add a flag to the existing password change method to indicate that an unhashed password is being provided, and allow password change to fail if the flag is not set.]
Calling signature is similar to the authentication API, except that the caller is told when it will be supplying the new password.
A new method for obtaining a list of groups to which a user belongs. These wouldn’t necessarily be POSIX groups, as the accounts service is uninterested in groups in the general case (the main exception being that it maps Administatorness to membership in the wheel group), but they’d be whatever the domain considered to be groups.
A new method or three for determining which users are in a group, which groups are in a group, and which users are in a group by way of being in other groups.
A new signal broadcast when a user’s password or equivalent is about to expire, along with how much time is left, if we can know that.
Would need something running in the user’s session to catch them and offer to initiate a password change via the above password-changing method. Not provided by SSSD.
A new signal broadcast when a user’s SSO credentials (e.g. Kerberos TGT) are about to expire.
Would need something running in the user’s session to catch them and offer to reinitialize them by calling the above authentication method. Not provided by SSSD.
A new signal broadcast when a user’s SSO credentials are reinitialized.
Would want something running in the user’s session to catch them and rescind offers to reinitialize them that aren’t in-progress. Not provided by SSSD.
The ability to fetch and manage more string attributes than the current accountsService API offers.
This may just take the form of more properties, perhaps without friendly get/set methods, particularly if
The set would be configured in SSSD on a per-domain basis.
Breaking It Down To The API Level
We’re talking about providing a superset of the D-Bus API currently offered by the accountsservice package.
The APIs themselves are advertised to clients via D-Bus introspection, so they can be browsed using tools such as d-feet, and what follows is heavily based on that information and the introspection information included with the package.
The very, very, very short D-Bus Primer
The D-Bus service model is a tree of objects. Each object has a path name (an object path) which resembles a filesystem path, and can both emit broadcast notifications referred to as signals and provide callable functions referred to as method calls, as well as possessing data members called properties. When a process connects to a bus, it is given a connection-specific name (typically of the form “:1.121”) which is used to route replies back to it. A process which intends to offer services typically also registers a name (of a form such as “org.freedesktop.Accounts”) which clients can use to specify the destination for method calls that they intend to make use of. The names of methods can be namespaced using interface names, but in many cases, unless necessary for disambiguation, they are optional.
The Singleton Management Object
The accountsservice package currently provides a service which can be reached using the name org.freedesktop.Accounts, which provides one singleton object of note: /org/freedesktop/Accounts, which provides five methods, two signals, and one property, all as part of an interface named org.freedesktop.Accounts. Methods and properties that we add that are specific to SSSD should grouped as part of an SSSD-specific interface name.
method CreateUser(String name, String fullname, Int accountType)
name: the user’s login name
fullname: the user’s real name
accountType: an enumerated value which flags the account as a Standard or Administrator account
returns: Path user: the path for the user’s object
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Creates a user with a given name in the default local provider domain. Note that the UID is not specified by the caller, as it is allocated by the provider. The caller can retrieve it from the user’s entry if the call succeeds. The meaning of account types is not specified, but in the current implementation the difference between a Standard user and an Administrator is whether or not the user is a member of the wheel group.
ADD method CreateUserInDomain(String domain, String name, String fullname, Int accountType)
domain: the domain in which the caller wants the account to be created, can be left empty or unspecified to implicitly select the default local provider domain, to which the caller must already be allowed access
name: the user’s login name
fullname: the user’s real name
accountType: an enumerated value which flags the account as a Standard or Administrator account
returns: Path user: the path for the user’s object
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Creates a user with a given name. Note that the UID is not specified by the caller, as it is allocated by the provider. The caller can retrieve it from the user’s entry if the call succeeds. The meaning of account types is not specified, but in the current implementation the difference between a Standard user and an Administrator is whether or not the user is a member of the wheel group.
method DeleteUser(Int64 user, Boolean removeFiles)
user: the user ID of the user to be removed
removeFiles: whether or not to remove the user’s home directory
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Deletes the user with the given UID.
ADD method DeleteUserInDomain(String domain, Int64 user, Boolean removeFiles)
domain: the domain to which the user belongs
user: the user ID of the user to be removed
removeFiles: whether or not to remove the user’s home directory
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Deletes the user with the given UID if a matching user exists in the named domain.
method FindUserById(Int64 id)
id: the user’s UID
returns: Path user: the path for the user’s object. All configured domains are searched.
Error org.freedesktop.Accounts.Error.Failed: no such user exists
ADD method FindUserByIdInDomain(String domain, Int64 id)
id: the user’s UID
domain: the name of the domain to search
returns: Path user: the path for the user’s object, if a matching user exists in the domain.
Error org.freedesktop.Accounts.Error.Failed: no such user exists
method FindUserByName(String name)
name: the user’s login name
returns: Path user: the path for the user’s object. The search is performed over all configured domains.
Error org.freedesktop.Accounts.Error.Failed: no such user exists
ADD method FindUserByNameInDomain(String domain, String name)
domain: the name of the domain to search
name: the user’s login name
returns: Path user: the path for the user’s object
Error org.freedesktop.Accounts.Error.Failed: no such user exists
method ListCachedUsers()
returns: users: an array of paths for the user objects
Returns a subset of the users who exist, typically those who have logged in recently, for populating chooser lists such as those used by GDM’s greeter.
Currently the accountsservice process scans /etc/passwd for users, filters out those with UID values which are below a threshold point to screen out system users, and sorts the rest by the number of times the users in question appear in /var/log/wtmp. Above a certain length, it’s expected that the caller will disregard the list and present only an entry field. The entry field always needs to be available because we know that some results may be missing from this list.
ADD method ListDomainUsers(String domain)
domain: the domain name in which the caller is interested
returns: users: an array of paths for all known user objects
Returns all of the objects for users about which SSSD is aware. This may be a very large list, particularly if enumeration is enabled for the domain.
signal UserAdded(Path user)
path: the path for the user’s object
MODIFY this signal is emitted when a user is created or appears in the cache for a remote domain
signal UserDeleted(Path user)
path: the path for the user’s object
MODIFY this signal is emitted when a user is deleted or disappears from the cache for a remote domain, though the latter is not expected to happen often
property String DaemonVersion
The version of the running daemon.
ADD method CreateGroup(String name)
name: the group’s name
returns: Path group: the path for the new group object
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Creates a group with the given name in the default local provider domain. As with users, the GID is allocated by the provider, and the caller can retrieve it from the group’s entry if the call succeeds.
ADD method CreateGroupInDomain(String domain, String name)
domain: the domain name in which the caller wants the group to be created
name: the group’s name
returns: Path group: the path for the new group object
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Creates a group with the given name in the given domain. As with users, the GID is allocated by the provider, and the caller can retrieve it from the group’s entry if the call succeeds.
ADD method DeleteGroup(Int group)
group: the group ID of the group to be removed
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Deletes the group with the given GID.
ADD method DeleteGroupInDomain(String domain, Int group)
domain: the name of the domain to which the group belongs
group: the group ID of the group to be removed
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Deletes the group with the given GID.
ADD method ListCachedGroups()
returns: groups: a subset of the known group objects
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
ADD method ListDomainGroups(String domain)
domain: the domain name in which the caller is interested
returns: groups: an array of paths for the group objects representing all of the groups of which SSSD is aware in the named domain
ADD method FindGroupById(Int64 id)
id: the group’s GID
returns: Path group: the path for the group object
Error org.freedesktop.Accounts.Error.Failed: no such group exists
ADD method FindGroupByIdInDomain(String domain, Int64 id)
id: the group’s GID
domain: the group’s domain name
returns: Path group: the path for the group object
Error org.freedesktop.Accounts.Error.Failed: no such group exists
ADD method FindGroupByName(String name)
name: the group’s name
returns: Path group: the path for the group object
Error org.freedesktop.Accounts.Error.Failed: no such group exists
ADD method FindGroupByNameInDomain(String domain, String name)
name: the group’s name
domain: the group’s domain name.
returns: Path group: the path for the group object
Error org.freedesktop.Accounts.Error.Failed: no such group exists
ADD signal GroupAdded(Path group)
path: the path for the group’s object
this signal is emitted when a group is created or appears in the cache for a remote domain
ADD signal GroupDeleted(Path group)
path: the path for the group’s object
this signal is emitted when a group is deleted or disappears from the cache for a remote domain, though the latter is not expected to happen often
ADD method ListDomains()
returns: domains: a list of domain name strings
User Objects
Users are represented by objects as well. The object path name used for an object need not contain any identifying information about the user, so no assumptions should be made about it. That all said, a typical user object path is currently /org/freedesktop/Accounts/User500.
User objects typically provide several properties, methods for setting the properties which can be written to, and one signal, all grouped as part of the org.fredesktop.Accounts.User interface:
property Boolean AutomaticLogin, method SetAutomaticLogin(Boolean enabled)
Whether the user should be logged in automatically at boot.
property Boolean Locked, method SetLocked(Boolean locked)
Whether the user’s account is locked.
property Int AccountType, method SetAccountType(Int type)
The type of the account. 0 is a Standard user, while 1 indicates an Administrator.
property Int PasswordMode, method SetPasswordMode(Int mode)
Password flags. 0 is normal, 1 indicates that the password must be changed at next login, and 2 indicates that no password is necessary.
property Boolean SystemAccount
Whether or not the account is a system account, such as adm. System accounts aren’t returned by ListCachedUsers and should generally be ignored.
property String Email, method SetEmail(String email)
The user’s email address.
property String HomeDirectory, method SetHomeDirectory(String homedir)
The user’s home directory. If changed, the user’s files are moved.
property String IconFile, method SetIconFile(String path)
The user’s icon file. Its contents are copied from the specified location to a location managed by the service, and when the value is read, the location of the service’s copy is returned.
property String Language, method SetLanguage(String locale)
The user’s preferred language.
property String Location, method SetLocation(String where)
The user’s location, as a free-form string.
property String RealName, method SetRealName(String fullname)
The user’s real, full name.
property String Shell, method SetShell(String path)
The user’s login shell.
property String UserName, method SetUserName(String name)
The user’s login name.
property String XSession, method SetXSession(String session)
The user’s preferred graphical session, e.g. gnome-fallback.
property Int64 Uid
The user’s UID. Note that it is read-only.
MODIFY this is allowed to not be set.
property Int64 LoginFrequency
The user’s login frequency. Currently this is the number of times the user appears in lastlog (or maybe utmp).
property String PasswordHint
The user’s password hint.
ADD property String Domain
The user’s domain.
ADD property Int CredentialLifetime
The number of seconds left before the user’s credentials expire, if the service is managing and monitoring some on the user’s behalf.
method SetPassword(String crypted, String hint)
Resets the password mode to normal.
Unlocks the account.
Currently takes a crypt string as a parameter.
ADD Error org.fedorahosted.SSSD.Error.PasswordMustBePlaintext: this user’s password must be set as plaintext by calling SetAuthenticator.
ADD method FindGroups(Boolean direct, Boolean indirect)
direct: return groups which explicitly list the user as a member
indirect: return groups which have the user as a member by virtue of having, as a member, a group which lists the user as a member
returns: groups: an array of paths for the matched group objects
signal Changed()
Emitted when the user’s properties change.
Any attempt to change a property value can result in these errors:
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
ADD method Authenticate((Array of Bytes) handle, (Array of String) types, (Array of Struct(Int, Array of Variant)) responses)
(Array of Bytes) handle: opaque handle returned by a previous call to Authenticate(), an empty array or a previously-obtained info.session value on the first call
(Array of String) types: a list of enumerated types of information which the caller can supply (see below)
(Array of Struct(Int id, (Array of Variant) data)) responses: array of responses to request for information returned by a previous call to Authenticate()
id: an identifier specific to this request which identifiers information being provided in response to a particular item from a request
data: the information being provided in response to a particular item requested by a previous call to Authenticate()
returns (Array of Bytes) handle: an opaque handle used to track an ongoing authentication request
returns Boolean more: true if more information is needed; false if authentication has succeeded (N.B.: failure is indicated by a D-Bus-level error)
returns Int timer: amount of time the service is willing to wait for answers to its requests for information, in seconds
returns (Array of Struct(Int id, String type, Variant prompt, Boolean sensitive, Signature format)) requests: information and requests for information
id: an identifier specific to this request which should be used to identify the corresponding response when it is later provided
type: a label which attempts to catalogue the various kinds of information which may be provided or requested
info.user: user object (prompt is a Path), no input requested (format is ignored)
info.text: user visible feedback (prompt is a String), no input requested (format is ignored)
input.text: interactively-obtained string (prompt is a String, format=String)
the service attempts to use this as infrequently as possible
input.boolean: interactively-obtained boolean (prompt is a String, format=Boolean)
the service attempts to use this as infrequently as possible
input.password: current password (prompt is a String, format=String)
input.new-password: new password value (prompt is a String, format=String)
input.otp: current OTP value (prompt is a String, format=String)
input.otp-secret: new OTP secret (prompt is a String, format=Array of Byte)
input.otp-next: next OTP value (prompt is a String, format=String)
input.otp-new: new OTP value (prompt is a String, format=String)
authz-data. …: authorization data returned on success, the portion of the name after authz-data. is namespaced either as an OID in text form or as a reversed domain name (resembling a D-Bus interface name)
info.cacheable: an indicator that the calling application is willing to accept results based on non-live (i.e. cached) data
info.session: a handle for any SSO credentials obtained during authentication (prompt is an Array of Bytes), returned only when authentication succeeds, no input requested; if the caller doesn’t specify that it can accept a handle, any SSO credentials which are obtained as a side-effect of the authentication process (think: Kerberos TGTs) are discarded; if the caller receives a session handle, it accepts responsibility for eventually cleaning it up
…
prompt: as indicated by and appropriate for type
When an (Array of Byte) is expected, the prompt is usually empty or an (Array of Byte) and the application is expected to respond as indicated based only on type.
sensitive: if the user is supplying the value, if the value is sensitive information.
For example, passwords are often considered to be sensitive.
format: the D-Bus type of the data which should be returned
usually Boolean, Int64, String, or Array of Byte
The overlap between input.text and various other input types is intentional, as it should allow applications and the service to share contextual information in cases where both support it, and to still be able to function (though at a less convenient level, programmatically) when one or the other is ignorant of the specifics of a particular authentication exchange. If a password is needed, for example, applications which advertise that they can provide both input.text and input.password will be prompted specifically for the password, while applications which only claim to be able to handle input.text will be prompted via that means. Hopefully this will provide some level of compatibility, even if it is less than ideal, as input types are added.
As a rule, multiple requests for input.text type should not be assumed to be multiple requests for the same information, and input.text values should not be considered appropriate for being cached.
The input type mechanism is notionally related to Kerberos preauthentication and authorization data, particularly in that some requests are merely informational, and attempts to provide a groundwork for eventually passing through binary methods such as GSSAPI.
ADD method CancelAuthentication((Array of Bytes) handle)
(Array of Bytes) handle: opaque handle returned by a previous call to Authenticate()
ADD method ClearSession((Array of Bytes) handle)
(Array of Bytes) handle: opaque info.session value returned by a previous call to Authenticate()
Cleans up any resources being used to maintain the session’s credentials
ADD method SelectSession((Array of Bytes) handle, (Array of String) types)
(Array of Bytes) handle: opaque info.session value returned by a previous call to Authenticate()
(Array of String) types: a list of types of returned information which the caller is able to usefully consume
returns (Array of Struct(String type, Variant value)) info: information which the caller will need
Makes previously-obtained SSO credentials available for use by the caller. When using Kerberos, the returned array includes an environment value of type Array of String, one of which is a KRB5CCNAME value which will be valid until the next time either SelectSession or ClearSession is called, or the SessionCleared signal is emitted. At this time, the only SSO credentials which SSSD “knows” how to obtain are Kerberos credentials, so the returned array will typically only contain an environment member, but this may grow to include other data items as additional authentication providers are added to SSSD.
ADD method SetAuthenticator((Array of Bytes) handle, (Array of String) types, (Array of Struct(Int, Array of Bytes)) responses)
Same calling setup as Authenticate.
ADD signal AuthenticationOperationSucceeded((Array of Bytes) handle)
Emitted when authentication or authenticator change succeeds.
ADD signal AuthenticationOperationFailed((Array of Bytes) handle)
Emitted when authentication or authenticator change fails.
ADD signal AuthenticationOperationCanceled((Array of Bytes) handle)
Emitted when authentication or authenticator change is canceled or times out.
ADD signal SessionExpiring((Array of Bytes) session, Int soon)
Emitted when the user’s SSO credentials will soon need to be refreshed, if the service is hanging on to and monitoring some on the user’s behalf.
(Array of Bytes) session: opaque info.session value returned by a previous call to Authenticate()
Int soon: the amount of time left, in seconds, before the credentials expire.
ADD signal SessionCleared(Array of Bytes) session)
(Array of Bytes) session: opaque info.session value returned by a previous call to Authenticate()
Emitted when the user’s credentials are either explicitly cleared or expire.
ADD signal SessionRefreshed((Array of Bytes) session)
(Array of Bytes) session: opaque info.session value returned by a previous call to Authenticate()
Emitted when the user’s credentials are refreshed, if the service is managing and monitoring some on the user’s behalf.
Group Objects (All New)
Going forward, groups, which were previously not exposed via this API, will also be represented by objects. The object path name used for an object need not contain any identifying information about the group, so no assumptions should be made about it. That all said, a typical group object path will be /org/freedesktop/Accounts/Domain2/Group500.
Group objects will typically need to provide a few properties, methods for setting the properties which can be written to, and one signal, all grouped as part of the org.fredesktop.Accounts.Group, or more likely an SSSD-specific, interface:
ADD property Boolean SystemGroup
Whether or not the account is a system group, such as adm. System groups aren’t returned by ListCachedGroups and should generally be ignored.
ADD property String IconFile, method SetIconFile(String path)
The group’s icon file. Its contents are copied from the specified location to a location managed by the service, and when the value is read, the location of the service’s copy is returned.
ADD property String GroupName, method SetGroupName(String name)
The group’s name.
ADD property Int64 Gid
The group’s GID. This is read-only, optional, and is allowed to not be set.
ADD signal Changed()
Emitted when the group’s properties change.
ADD property String Domain
The group’s domain.
ADD property (array of Paths) Users
An list of the group’s member user objects.
ADD property (array of Paths) Groups
An list of the group’s member group objects.
ADD method AddUser(Path user)
user: the object path of the user to add to the group’s list of users
If the user’s domain and the group’s domain are different, this is allowed to fail.
ADD method RemoveUser(Path user)
user: the object path of the user to remove from the group’s list of users
ADD method AddGroup(Path group)
group: the object path of the group to add to the group’s list of groups
If the groups are not in the same domain, this is allowed to fail.
If the domain does not support groups being members of groups, this will fail.
ADD method RemoveGroup(Path group)
group: the object path of the group to remove from the group’s list of groups
Any attempt to change a property value or alter membership can result in these errors:
Error org.freedesktop.Accounts.Error.PermissionDenied: caller lacks appropriate PolicyKit authorization
Error org.freedesktop.Accounts.Error.Failed: generic operation failure
Deficiencies
No indication of primary group [mvo] (Current assumption: primary groups are not exposed.)
What are the semantics of system groups [mvo] (Current assumption: there is no concept of system groups.)
What are the semantics of cached groups [stefw]
Why are domains not first class DBus objects [stefw]
Does the local domain have a special value/identifier/path? [mvo] (Current assumption: empty string, but there is also LocalGroup, similar to LocalUser.)
We should have FindGroups also on Group objects. [mvo]
‘direct’ argument to FindGroups seems unmotivated. [mvo]