URL: https://github.com/SSSD/sssd/pull/5241 Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
pbrezina commented: """ I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access to the Administrator. Administrator is allowed to login as expected, vagrant is not able to login either way regardless on the option settings because an applicable gpo is found and the user is not explicitly allowed. ``` (2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Storing setting: key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500] (2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500] (2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [(null)] (2020-08-21 15:36:40): [be[ad.vm]] [parse_policy_setting_value] (0x0400): No value for key [SeDenyRemoteInteractiveLogonRight] found in gpo result (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): RESULTANT POLICY: (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_size = 1 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_sids[0] = S-1-5-21-433998187-2822908608-1404606238-500 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): denied_size = 0 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): CURRENT USER: (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-433998187-2822908608-1404606238-1000 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-433998187-2822908608-1404606238-513 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): POLICY DECISION: (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_granted = 0 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_denied = 0 (2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access check failed: [1432158236](Host Access Denied) ``` The patch does not change the behavior. """ See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-678295162
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
