Learn more about these different git repos.
Other Git URLs
When interworking with a Samba AD server (4.3.11) SSSD up to version 1.15.1 cannot apply a correctly configured GPO for access control of domain users on a domain member server. Even with low level debugging, only minimum information is provided: GPO not applicable to target per security filtering. After removing the standard read access rights from the GPO the GPO access control fails with perform_smb_operations failed.[2][No such file or directory] by the GPO child.
As even low-level logs did not help to figure out the root cause, a review of the source code was performed supported by wireshark analysis of the message flow between SSSD and Samba AD as well as Windows 7 clients and Samba AD.
The current GPO security filtering does not take into account, that GPO read access and control access rights for a particular trustee may be split into different ACEs. Security filtering stops after evaluation of the GPO read access ACE and denies access if there is no other trustee for the user that requests login. This problem was already highlighted in https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/ODXS6FBMZTXO7BNKYBX423LX4UHZO7AE but has not been solved.
Also with regard to other security filtering steps the current implementation is way to strict. E. g. if a group policy container in AD does not contain a DACL or "DACL Present" bit is not set, SSSD stops group policy filtering and ignores the succeeding GPOs.
There are AD server implementations that store group policy files on SYSVOL using upper case names for the main folders (MACHINE and USER). SSSD uses libsmbclient to accces group policy files. libsmbclient does not allow case insensitive file access, if the AD server file system is case sensitive. That has been confirmed to be a feature on the Samba mailing list. In such a case SSSD's GPO child fails with error 22 (Invalid argument), even though the required group policy files are stored on SYSVOL.
Finally, administrators can only retrieve sufficient information about failures in GPO security filtering, if they configure low-level debugging. SSSD man pages suggest to use log level function data in their examples. This level is sufficient to log GPO access control but not GPO security filtering. Also the sssd-ad man page is very reluctant with information on the powerful GPO based access control of SSSD.
The described issues are most probably also the real root cause for Issue #3279, despite of the fact that the issuer had problems with the rather complicated setup of a Samba AD environment.
We'll review the patches as part of the next release.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.15.3
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.15.3)
Metadata Update from @jhrozek: - Issue assigned to mzidek
Metadata Update from @jhrozek: - Issue tagged with: PR
Metadata Update from @jhrozek: - Issue priority set to: major
After quite some time, Michal did test and review the patches and submitted them along with some of his minor fixes as https://github.com/SSSD/sssd/pull/412
We're really happy about the contribution, but because we need to release the 1.16.0 tarball tomorrow (there's no 1.15.4 after all) and the patches need to go through downstream RHEL tests before being merged, I'm moving the ticket to 1.16.1.
However, we're going to merge them really soon now. I'm sorry for the extreme delay.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.15.4)
Metadata Update from @jhrozek: - Issue tagged with: postpone-to-1-16-2
@lslebodn: Please find attached here a proposal for the requested regression test specification (see comments to the related PR#3320):
<img alt="SSSD_AD_GPO_Regression_Tests.pdf" src="/SSSD/sssd/issue/raw/files/b7962f852ba9b520d6e73376063697241f7bf0c68ea208b7b88414a6d80a6107-SSSD_AD_GPO_Regression_Tests.pdf" />
The PDF contains also all provided GPO templates and other configuration setup files as attachment.
Hope this works for you.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.2 (was: SSSD 1.16.1)
Metadata Update from @jhrozek: - Issue untagged with: postpone-to-1-16-2
Since we are near the 1.16.2 release and this ticket has no PR yet, it will slip into 1.16.3.
sorry, I shouldn't have copied the boilerplate text here, this one does have a PR but the review is moving at a glacial pace.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.3 (was: SSSD 1.16.2)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.4 (was: SSSD 1.16.3)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.2 (was: SSSD 1.16.4)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)
master
Metadata Update from @pbrezina: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Hi, this is not fixed. Sorry, there are still patches to be merged.
Metadata Update from @mzidek: - Issue status updated to: Open (was: Closed)
Metadata Update from @thalman: - Issue tagged with: Next milestone
https://pagure.io/SSSD/sssd/pull-request/3320
Metadata Update from @pbrezina: - Issue untagged with: Next milestone
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4356
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.