Spoke to Stephen today about this and it's working as design. ----- Original Message -----
From: "Dan Lavu" <side_cont...@runlevelone.net> To: "Development of the System Security Services Daemon" <sssd-devel@lists.fedorahosted.org> Sent: Thursday, March 5, 2015 7:46:56 PM Subject: SSSD GPO Inheritance I found something very awkward about this feature. It took me a little bit of time to figure out what it is but finally I'm able to reproduce it. The policies cannot overlap, it will prioritize one policy and ignore the others. For example; When the site GPO th e only policy applied, domain users (allow_dm_u) are not allowed to login, which is working fine. :: [ PASS ] :: Command 'su_success 'allow_u-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_success 'allow_gu-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_fail 'deny_u-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_fail 'deny_gu-123...@example.lan' Secret123' (Expected 0, got 0) :: [ FAIL ] :: Command 'su_success 'allow_dm_u-123...@example.lan' Secret123' (Expected 0, got 1) :: [ FAIL ] :: Command 'su_success 'allow_dm_gu-123...@example.lan' Secret123' (Expected 0, got 1) :: [ PASS ] :: Command 'su_fail 'deny_dm_u-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_fail 'deny_dm_gu-123...@example.lan' Secret123' (Expected 0, got 0) Note, that user 'allow_u' is *not* denied in the domain policy and he is denied when both GPOs are applied. :: [ FAIL ] :: Command 'su_success 'allow_u-123...@example.lan' Secret123' (Expected 0, got 1) :: [ FAIL ] :: Command 'su_success 'allow_gu-123...@example.lan' Secret123' (Expected 0, got 1) :: [ PASS ] :: Command 'su_fail 'deny_u-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_fail 'deny_gu-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_success 'allow_dm_u-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_success 'allow_dm_gu-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_fail 'deny_dm_u-123...@example.lan' Secret123' (Expected 0, got 0) :: [ PASS ] :: Command 'su_fail 'deny_dm_gu-123...@example.lan' Secret123' (Expected 0, got 0) So inheritance is working but the domain policy is overriding the site policy entirely. The windows gpo behavior is Explicit Deny > Implicit Grant > Explicit Grant > Implicit Deny, and the user allow_u is not being denied anywhere so should still be permitted to login. Is this the desired design? or should I file a bug? Dan
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
