#3269 SSSD does not skip GPO if no gpcFunctionalityVersion present
Closed: Fixed None Opened 2 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1404697

Description of problem:

If the  groupPolicyContainer created by some tool (for example the
https://www.quest.com/products/password-manager/) does not conatin
gpcFunctionalityVersion attribute and sssd stumbles upon such container, it
stops the processing and just quit with the default decision (wich is usually
deny).

To avoid this problem, the SSSD should skip any GPO that does not contain the
gpcFunctionalityVersion because this is the behavior specified by the MS-GPOL,
see 3.2.5.1.6:

-----
3.2.5.1.6 GPO Filter Evaluation
In this step, the client MUST process the GPO as follows:
 1. Check for the functionality version of the GPO. If the
gPCFunctionalityVersion
    field of the Group Policy Object Search message (as defined in [MS-ADA1]
    section 2.278) is not set to 2, the GPO MUST NOT be included in the rest
    of the protocol sequence. The GPO MUST be considered denied.
-----

given that the GPO itself does not have access control rules, you filter
it out.


Version-Release number of selected component (if applicable):

sssd-1.14.0-43.el7.x86_64


Steps to Reproduce:
1. create GPO with https://www.quest.com/products/password-manager/
2. try to log in with such user

Actual results:

login fails

Expected results:


should log in

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => mzidek
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.5

Fields changed

patch: 0 => 1

sssd-1-14:

sssd-1-13:

resolution: => fixed
status: new => closed
version: => 1.13.4

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.13.5

2 years ago

Login to comment on this ticket.

Metadata