On Sun, Aug 10, 2014 at 08:18:46PM -0400, Yassir Elley wrote: > > > ----- Original Message ----- > > On Thu, Jul 31, 2014 at 02:40:02PM -0400, Yassir Elley wrote: > > > Hi, > > > > > > The attached patch adds support for gpo processing in offline mode. While > > > the code for online mode uses LDAP to determine which gpo-guids are > > > applicable (and then uses SMB to retrieve policy files), the code in > > > offline mode simply retrieves all gpo-guids from the cache (and then > > > retrieves locally cached per-gpo-guid policy files). Note that neither > > > version checking nor the ad_gpo_cache_timeout option are relevant when in > > > offline mode. > > > > > > Unresolved issues > > > * if there are no gpo-guids in the cache, the code currently denies > > > access; i suspect we should be allowing access instead; agree? > > > > If all the request ran into completion /and/ yet we found no GPOs, then > > it means there are no GPOs on the server side, right? > > If we found no GPOs after running to completion, then it means that > there are no *applicable* GPOs on the server side (taking into account the > hostname, inheritance logic, dacl, supported-cse, etc). That's all that > matters. There may well be other GPOs on the server side that were *not* > applicable, but we don't care about those.
Right, then I agree with allowing access. > > > > > If that's true, then I agree. I don't think there is any equivalent of > > IPA's allow_all, correct? > > I think IPA's allow_all is simply the default HBAC rule that allows > all access. For GPOs, in the absence of any Allow Logon Locally policy > setting, the default is also to allow all access. In the case of IPA, > as soon as the allow_all rule is removed, then the semantics become deny > all (except for those allowed by additional rules). Similarly, as soon as > a single user/group is added to the Allow Logon Locally policy setting, > the semantics become deny all (except for the added users/groups). Yes, exactly. > > > > > > * i don't think offline callbacks are needed, but i'm unclear about > > > whether > > > online callbacks are needed; i suspect they are not needed for the access > > > provider (b/c I don't see them being used by the ad_access_filter code); > > > should we trigger a fresh round of gpo processing when transitioning from > > > offline to online? > > > > This is something I'll test, but I suspect that we don't need additional > > callbacks. Usually there would be authentication attempt before the > > access control that would flip the offline state to online. > > > > > > Thanks for the patches, these work for me. ACK. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
