On 9/11/19 10:56 AM, Emil Petersson wrote:
Even when I reconfigure AD to make sure there is no applicable GPO's found, I'm
still granted access with my unprivileged user.
[ad_gpo_access_check] (0x0400): RESULTANT POLICY:
[ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive
[ad_gpo_access_check] (0x0400): allowed_size = 0
[ad_gpo_access_check] (0x0400): denied_size = 0
...snip...
[ad_gpo_access_check] (0x0400): CURRENT USER:
[ad_gpo_access_check] (0x0400): user_sid =
S-1-5-21-1107582786-xxx-2594897426-2570
[ad_gpo_access_check] (0x0400): group_sids[0] =
S-1-5-21-1107582786-xxx-2594897426-513
[ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11
[ad_gpo_access_check] (0x0400): POLICY DECISION:
[ad_gpo_access_check] (0x0400): access_granted = 1
[ad_gpo_access_check] (0x0400): access_denied = 0
[ad_gpo_access_done] (0x0400): GPO-based access control successful.
In this case, shouldn't the new feature "ad_gpo_implicit_deny" kick in and make
sure the user is denied?
Hi,
you are correct.
It should deny access to the user. Both this log and the log
from your previous email look like there is some issue with SSSD. I will
try to reproduce it locally, but from the logs you provided it looks
like a bug.
Michal
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
