URL: https://github.com/SSSD/sssd/pull/552 Title: #552: GPO: Store security CSE settings of all applicable GPOs
mzidek-rh commented: """ Hello friends :) , I have few comments: 1. This patch has me as an author, but it is not my patch, it would be good to fix the authorship :) 2. this patch does not solve the https://pagure.io/SSSD/sssd/issue/3680 (I tested the simplest reproducer with one empty deny rule and one rule that allows administrator to login) 3. From the description of the issue I think this patch tries to implement the SID list merging of the same rules across all applicable GPOs to the target. This is something that I implemented long time ago and I also thought it is a bug in SSSD that we do not merge the lists, but it was not the case. The correct merging behavior of rules should be: - merge all rules from applicable GPOs, if the same rule appears in multiple GPOs override the the settings from previous GPO (respecting the rule precedende). So SSSD actually does behave correctly (thus the patches I made were rejected). OTOH Windows hosts can enable setting (forgot how the feature/setting is called) that allows them to also merge rules that are host specific (host only) and give them higher priority (they are applied on top). This allows to certain degree more flexibility when it comes to merging the GPOs, but the SIDs for the same rule are still not merged, only the list of GPOs and order of precedence is changed. However SSSD does not support this at all. However if Windows machines can change per host the way GPO rules are applied, I was thinking if we could add an option that would allow the SID merging (per host). It would not be the same thing as Windows does, but it would simplify group policy management. But I am not sure if we would be adding some issues with this that we do not see now. I think it could be added as non default experimental behavior (btw. I just recently mentioned this during devel meeting). So I am not against this feature, but if we are going to implement it, then in a different way and I would prefer to first make a pagure issue, so that it will be discussed among devels and brought up on weekly devel meeting. """ See the full comment at https://github.com/SSSD/sssd/pull/552#issuecomment-381984628
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org