#2606 GPO access control looks for computer object in user's domain only
Closed: Fixed None Opened 5 years ago by jhrozek.

The GPO access control code receives the user's domain as input and uses it to look up the computer object. That doesn't work if the user is from a subdomain, because we'd miss the computer object.

We need to look up the computer object in the domain we're enrolled with. We can use the GPO connection here, maybe, my initial testing shows that the attributes we're interested with are replicated to GC.

We also need to test with a computer enrolled with a child domain and login with user from parent domain to make sure the GPOs applied to the parent domain or OU are found correctly. Again, GC might be helpful here.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

Stephen, did you still plan on doing some GPO fixes?

cc: => sgallagh@redhat.com

Stephen, if you don't plan on working on the fix, please just reassign to "somebody". I can do the fix, it's just a matter of planning and priorities.

owner: somebody => sgallagh

Sorry, Jakub. I've been planning to work on this, but Fedora 22 Beta issues have been occupying my time. I just haven't had a chance to look at it closely yet. I'll try to look into it soon.

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3647

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.