#3324 GPO Security Filtering and Access Control are not Compliant with MS-ADTS
Opened 2 years ago by thor. Modified 7 months ago

When interworking with a Samba AD server (4.3.11) SSSD up to version 1.15.1 cannot apply a correctly configured GPO for access control of domain users on a domain member server. Even with low level debugging, only minimum information is provided: GPO not applicable to target per security filtering. After removing the standard read access rights from the GPO the GPO access control fails with perform_smb_operations failed.[2][No such file or directory] by the GPO child.

As even low-level logs did not help to figure out the root cause, a review of the source code was performed supported by wireshark analysis of the message flow between SSSD and Samba AD as well as Windows 7 clients and Samba AD.

The current GPO security filtering does not take into account, that GPO read
access and control access rights for a particular trustee may be split into
different ACEs. Security filtering stops after evaluation of the GPO read
access ACE and denies access if there is no other trustee for the user that
requests login. This problem was already highlighted in
but has not been solved.

Also with regard to other security filtering steps the current implementation
is way to strict. E. g. if a group policy container in AD does not contain a
DACL or "DACL Present" bit is not set, SSSD stops group policy filtering and
ignores the succeeding GPOs.

There are AD server implementations that store group policy files on SYSVOL
using upper case names for the main folders (MACHINE and USER). SSSD uses
libsmbclient to accces group policy files. libsmbclient does not allow case
insensitive file access, if the AD server file system is case sensitive. That
has been confirmed to be a feature on the Samba mailing list. In such a case
SSSD's GPO child fails with error 22 (Invalid argument), even though
the required group policy files are stored on SYSVOL.

Finally, administrators can only retrieve sufficient information about failures
in GPO security filtering, if they configure low-level debugging. SSSD man pages
suggest to use log level function data in their examples. This level is
sufficient to log GPO access control but not GPO security filtering. Also the
sssd-ad man page is very reluctant with information on the powerful GPO based
access control of SSSD.

The described issues are most probably also the real root cause for Issue #3279, despite of the fact that the issuer had problems with the rather complicated setup of a Samba AD environment.

We'll review the patches as part of the next release.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.15.3)

2 years ago

Metadata Update from @jhrozek:
- Issue assigned to mzidek

2 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

2 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

2 years ago

After quite some time, Michal did test and review the patches and submitted them along with some of his minor fixes as https://github.com/SSSD/sssd/pull/412

We're really happy about the contribution, but because we need to release the 1.16.0 tarball tomorrow (there's no 1.15.4 after all) and the patches need to go through downstream RHEL tests before being merged, I'm moving the ticket to 1.16.1.

However, we're going to merge them really soon now. I'm sorry for the extreme delay.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.15.4)

a year ago

Metadata Update from @jhrozek:
- Issue tagged with: postpone-to-1-16-2

a year ago

Please find attached here a proposal for the requested regression test specification (see comments to the related PR#3320):


The PDF contains also all provided GPO templates and other configuration setup files as attachment.

Hope this works for you.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2 (was: SSSD 1.16.1)

a year ago

Metadata Update from @jhrozek:
- Issue untagged with: postpone-to-1-16-2

a year ago

Since we are near the 1.16.2 release and this ticket has no PR yet, it will slip into 1.16.3.

sorry, I shouldn't have copied the boilerplate text here, this one does have a PR but the review is moving at a glacial pace.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 1.16.2)

9 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.4 (was: SSSD 1.16.3)

7 months ago

Login to comment on this ticket.

Attachments 1