| |
@@ -37,7 +37,7 @@
|
| |
interactive, remote interactive) and consisting of a whitelist [and
|
| |
blacklist] of users and groups that are allowed [or denied] access to
|
| |
the computer using the set's logon method. In order to integrate Windows
|
| |
- Logon Rights into a Linux environment, we allow pam service names to be
|
| |
+ Logon Rights into a GNU/Linux environment, we allow pam service names to be
|
| |
mapped to a specific Logon Right. We provide default mappings for all of
|
| |
the commonly used pam service names, but we also allow the admin to
|
| |
add/remove mappings as needed (to support custom pam service names, for
|
| |
@@ -108,11 +108,11 @@
|
| |
that contain the "Security Settings" CSE, which it feeds, one by one,
|
| |
to the SMB/CIFS Engine
|
| |
- SMB/CIFS Engine: makes blocking libsmbclient calls to retrieve each
|
| |
- GPO's GPT.INI and GptTmpl.inf files, and stores the files in the gpo
|
| |
+ GPO's GPT.INI and GptTmpl.inf files, and stores the files in the GPO
|
| |
cache (/var/lib/sss/gpo\_cache), from which the GPO Enforcement
|
| |
Engine will retrieve them
|
| |
- GPO Enforcement Engine: enforces GPO-based access control by
|
| |
- retrieving each GPO's policy file (GptTmpl.inf) from the gpo cache,
|
| |
+ retrieving each GPO's policy file (GptTmpl.inf) from the GPO cache,
|
| |
parsing it, and making an access control decision by comparing the
|
| |
user/groups against the whitelist/blacklist of the Logon Right of
|
| |
interest (which is based on the pam service name)
|
| |
@@ -135,7 +135,7 @@
|
| |
can be set to "disabled" (neither evaluated nor enforced), "enforcing"
|
| |
(evaluated and enforced), or "permissive" (evaluated, but not
|
| |
enforced).The "permissive" value is the default, primarily to facilitate
|
| |
- a smooth transition for administrators; it evalutes the gpo-based access
|
| |
+ a smooth transition for administrators; it evaluates the GPO-based access
|
| |
control rules and outputs a syslog message if access would have been
|
| |
denied. By examining the logs, administrators can then make the
|
| |
necessary changes before setting the mode to "enforcing".
|
| |
@@ -186,7 +186,7 @@
|
| |
there is no cached version)
|
| |
|
| |
- Retrieves the policy file corresponding to the GPO
|
| |
- (GptTmpl.inf) and saves it to the gpo cache
|
| |
+ (GptTmpl.inf) and saves it to the GPO cache
|
| |
(/var/lib/sss/gpo\_cache)
|
| |
- Returns the fresh version to the backend, which stores it in
|
| |
the cache
|
| |
@@ -201,7 +201,7 @@
|
| |
- For each GPO
|
| |
|
| |
- Retrieves GPO's corresponding policy file (i.e. GptTmpl.inf)
|
| |
- file from gpo cache
|
| |
+ file from GPO cache
|
| |
- Parses policy file, extracting entries corresponding to the
|
| |
Logon Right of interest (determined by the pam service name)
|
| |
- Enforces access control policy settings
|
| |
@@ -247,9 +247,9 @@
|
| |
implementation, we should keep in mind that user-based GPOs could have a
|
| |
different refresh interval. As such, we would need to add a new
|
| |
configuration option ("computer\_gpo\_refresh\_interval") to the
|
| |
- existing AD access provider that would specify the gpo retrieval refresh
|
| |
+ existing AD access provider that would specify the GPO retrieval refresh
|
| |
interval in seconds. This would specify the period to use in the
|
| |
- periodic task API to determine how often to call the gpo retrieval code.
|
| |
+ periodic task API to determine how often to call the GPO retrieval code.
|
| |
By default, Microsoft sets this value to 90 minutes. It is an open issue
|
| |
as to whether we want to support the random offset interval or the
|
| |
ability to disable refresh altogether.
|
| |
@@ -279,7 +279,7 @@
|
| |
retrieval takes place when returning to online mode from offline
|
| |
mode. This really depends on what we decide about the first two
|
| |
retrieval times above. If we aren't doing periodic refresh, and are
|
| |
- only retrieving gpo's at login time, then an online callback might
|
| |
+ only retrieving GPOs at login time, then an online callback might
|
| |
not be needed. If we are doing periodic refresh, then we can set the
|
| |
"offline" parameter of be\_ptask\_create(...) to DISABLE (which means
|
| |
the task is disabled immediately when back end goes offline and then
|
| |
@@ -298,7 +298,7 @@
|
| |
do here? If we wanted to log out the user, do we have an existing
|
| |
mechanism to do this?
|
| |
|
| |
- If we implement gpo refresh, which of the refresh configuration options
|
| |
+ If we implement GPO refresh, which of the refresh configuration options
|
| |
should we implement and how?
|
| |
|
| |
- sssd configuration options
|
| |
@@ -311,16 +311,16 @@
|
| |
- disable\_gpo\_refresh (default false)? Presumably, this would be
|
| |
done so that performance would not be adversely affected during
|
| |
the logon session. Alternatively, we could tell admins that wanted
|
| |
- to disable gpo refresh to set the
|
| |
+ to disable GPO refresh to set the
|
| |
entry\_cache\_computer\_gpo\_timeout to zero (0), although this
|
| |
would not be how Microsoft interprets a zero value. Does sssd
|
| |
interpret '0' as "disable" elsewhere?
|
| |
|
| |
- - gpo refresh interval GPO
|
| |
+ - GPO refresh interval GPO
|
| |
|
| |
- if we didn't want to clutter sssd's configuration namespace, we
|
| |
could just use the standard Microsoft GPO that allows an admin to
|
| |
- specify the aforementioend refresh intervals (and distribute a
|
| |
+ specify the aforementioned refresh intervals (and distribute a
|
| |
consistent configuration to a set of computers)
|
| |
|
| |
Options
|
| |
@@ -357,7 +357,7 @@
|
| |
- suffers performance hit at initial startup and then periodically
|
| |
- policy data likely to be stale
|
| |
- requires implementation of periodic refresh, including refresh
|
| |
- configuration (for which we should probably use gpo refresh GPO)
|
| |
+ configuration (for which we should probably use GPO refresh GPO)
|
| |
|
| |
Recommendation
|
| |
--------------
|
| |
@@ -459,7 +459,7 @@
|
| |
|
| |
- Test ad\_gpo\_cache\_timeout config option
|
| |
|
| |
- - perform standard test with a sysdb cache with no gpo entries (or a
|
| |
+ - perform standard test with a sysdb cache with no GPO entries (or a
|
| |
clean sysdb cache)
|
| |
- make a change to a GPO policy setting so that the
|
| |
sysvol\_gpt\_version is incremented
|
| |
I am not sure about this one. Maybe it was caused by mass conversion with sed :-) "GNU/Linux MIT based KDC" sounds weird to me.