On Mon, Jun 01, 2020 at 06:08:40AM -0000, [email protected] wrote:
> Hello guys,
>
> All my sssd config is working fine, but for the last couple days I've been
> trying to make the ad_gpo works but have a weird issue I cannot fix
>
> Here is my sssd.conf
>
> [sssd]
> domains = glop.com
> config_file_version = 2
> services = nss, pam
>
> [pam]
> pam_pwd_expiration_warning = 3
>
> [domain/glop.com]
> debug_level = 8
> ad_domain = glop.com
> krb5_realm = GLOP.COM
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> use_fully_qualified_names = False
> fallback_homedir = /home/%u
> pwd_expiration_warning = 3
> default_shell = /bin/bash
> dyndns_upadte = false
>
>
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
> sudo_provider = ad
>
> ad_gpo_default_right = interactive
> #ad_gpo_map_type = permit
> ad_gpo_access_control = enforcing
> ad_gpo_implicit_deny = True
>
> ----------------
> What ever settings I used in ad_gpo_default_right, does not seems to make a
> difference, in my sssd.log I always see
>
> [ad_gpo_access_check] (0x0400): RESULTANT POLICY:
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): gpo_map_type: Remote Interactive <=========== THIS IS MY PROBLEM
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): allowed_size = 0
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): denied_size = 0
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): CURRENT USER:
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): user_sid = S-1-5-21-1801037062-2975133201-2745703018-1106
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): group_sids[0] = S-1-5-21-1801037062-2975133201-2745703018-1137
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): group_sids[1] = S-1-5-21-1801037062-2975133201-2745703018-513
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): group_sids[2] = S-1-5-11
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): POLICY DECISION:
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): access_granted = 1
> (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check]
> (0x0400): access_denied = 0
>
> My problem I believe is the first line 'gpo_map_type: Remote Interactive'
>
> My Windows Group Policy in windows is set with
> Allow log on locally => group_allowed
> Deny log on locally => group deny
>
> I have user1 member of group_allowed
> I have user2 member of group_deny
>
> At this point they can all logon, not what I expected :-(
>
> After a little bit of research, and because the log returns ' gpo_map_type:
> Remote Interactive'
> Instead of using the GPO settings: 'Allow log on locally & Deny log on
> locally', I then used the 'Allow log on Through remote desktop services & the
> Deny log on Through remote desktop services'
> And then everything works as expected
>
> so question : Why is it working with a GPO using the 'on Through Remote
> desktop' parameters, but not working with the 'Allow/Deny logon locally'
Hi,
the different Linux login services (gdm, /bin/login, sshd, ftp etc) are
mapped to different allow/deny permissions on AD. E.g. by default
console login (/bin/login) is mapped to "Allow/Deny log on locally"
while sshd is mapped to "Allow/Deny log on through Remote Desktop
Services". So when you see 'gpo_map_type: Remote Interactive' in the
logs I guess you are trying to log in with ssh.
The 'ad_gpo_default_right' does not come into play because "This option
defines how access control is evaluated for PAM service names that are
not explicitly listed in one of the ad_gpo_map_* options." (from man
sssd-ad). Since both services you mentioned are covered by default
setting ('login' is in the defaults of 'ad_gpo_map_interactive' while
'sshd' is in the defaults of 'ad_gpo_map_remote_interactive') there is
no need for 'ad_gpo_default_right' to step in.
More details can be found in man sssd-ad. If you have suggestions for
improvements of the corresponding man page entries feel free to send
them here of create a pull request on https://github.com/SSSD/sssd.
HTH
bye,
Sumit
>
> is there a way to change: gpo_map_type: Remote Interactive to gpo_map_type:
> Interactive
>
> I have played with those 2 settings without success so far:
> ad_gpo_default_right = interactive
> ad_gpo_map_type = interactive
>
> Thanks for your help
>
>
>
>
>
>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
