GPO: Group policy access evaluation not in line with [MS-ADTS]
The implemented security ACE evaluation algorithm is too strict and does not
meet Microsoft technical specifications:
Security access rights for a group policy object may be split into several
access control entries (ACE). The implemented algorithm does not consider
this and denies access to GPOs, where the "ApplyGroupPolicy" (AGP) ACE is
preceded by a standard access rights ACE. The algorithm also denies
access, if the AGP ACE is preceded by other extended object ACEs.
Update security access right evaluation algorithms to be in line with the
applicable Microsoft technical specifications:
- Add a simple evaluation algorithm to check standard access rights for the
complete GPO ([MS-ADTS] 5.1.3.3.2 and [MS-GOPD] 2.4):
The requester must have been granted read access (RIGHT_DS_READ_PROPERTY)
to the properties of the GPO
- Fix the "ApplyGroupPolicy" evaluation algorithm to be in line with
[MS-ADTS] 5.1.3.3.4
Further improve debug messages during security filtering for administrators
to figure out why access to a GPO was denied:
- Inform administrators when a GPO with applicable AGP access right has not
been evaluated due to missing or denied read access.
- Show the trustee's SID that specifies the particular user or group for
which GPO access has been denied
- Align message content to Microsoft tool like Gpresult
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth@gmail.com>
Signed-off-by: Thomas Reim <reimth@gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>