New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSSD incorrectly works with AD GPO during user login #5708
Comments
Hi, could you please test if this scenario works for you with 2.x based SSSD? (Modern Fedora, CentOS stream, etc) |
I'll test it on the Weekend |
Looks like on last versions everything works good:
Is it possible to install sssd 2.5.1 on Centos 7? Our main Linux OS is still Centos 7. |
Sorry, I was mistaken. It doesn't work too. But in this case any domain user can't login at all. |
Hi, thanks for the detailed explanation. Do I understand correctly that you removed the default permissions for 'Authenticated Users' from the GPOs in 'servers' and replaced it with something which only applies to host objects? bye, |
Hi, Yes, it's correct. We want to apply the GPO only to specific server groups. |
@qwert1qwert have you tried the |
Sorry, you said you tried it, never mind. |
@qwert1qwert could you be affected by https://support.microsoft.com/en-us/topic/ms16-072-security-update-for-group-policy-june-14-2016-7570425d-d460-3003-b2ac-a464c874725d? What is the security filtering you have on each group policy object, did you add |
No, it is completely different. |
Hi @qwert1qwert, |
Hi, I think I have an idea what is wrong here. Currently SSSD is only checking for the host itself but does not include the groups the host is a member of in the evaluation (in contrast to the groups the user is a member of). @qwert1qwert, if you still have a chance to check this I wonder if you can add the host itself to the bye, |
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: SSSD#5708
The related calls are not needed anymore. Resolves: SSSD#5708
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: SSSD#5708
The related calls are not needed anymore. Resolves: SSSD#5708
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: SSSD#5708
The related calls are not needed anymore. Resolves: SSSD#5708
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: SSSD#5708
The related calls are not needed anymore. Resolves: SSSD#5708
This patch adds a new parameter set_non_posix to the user and group lookup calls. Currently the domain type is used to determine if the search should be restricted to POSIX objects or not. The new option allows to drop this restriction explicitly to look up non-POSIX objects. Resolves: SSSD#5708
This patch adds a new parameter set_non_posix to the user and group lookup calls. Currently the domain type is used to determine if the search should be restricted to POSIX objects or not. The new option allows to drop this restriction explicitly to look up non-POSIX objects. Resolves: SSSD#5708
This patch adds a new parameter set_non_posix to the user and group lookup calls. Currently the domain type is used to determine if the search should be restricted to POSIX objects or not. The new option allows to drop this restriction explicitly to look up non-POSIX objects. Resolves: #5708 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 5f63d9b) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: SSSD#5708
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: SSSD#5708
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: SSSD#5708
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: #5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: #5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: #5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 29a77c6)
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: #5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit a153f13)
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: #5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 29a77c6)
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: #5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit a153f13)
Pushed PR: #7145
|
struct sdap_search_base includes the DN as a string. To better compare the DNs it is better to use a struct ldb_dn, in addition to the string. The struct ldb_dn also needs to keep the associated struct ldb_context, so we are also storing it in the structure. Resolves: SSSD#5708 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit cfc591d)
struct sdap_search_base includes the DN as a string. To better compare the DNs it is better to use a struct ldb_dn, in addition to the string. The struct ldb_dn also needs to keep the associated struct ldb_context, so we are also storing it in the structure. Resolves: #5708 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit cfc591d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: SSSD#5708 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit c02e09a) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
This patch adds a new parameter set_non_posix to the user and group lookup calls. Currently the domain type is used to determine if the search should be restricted to POSIX objects or not. The new option allows to drop this restriction explicitly to look up non-POSIX objects. Resolves: SSSD#5708 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 5f63d9b) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: SSSD#5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 29a77c6)
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: SSSD#5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit a153f13)
struct sdap_search_base includes the DN as a string. To better compare the DNs it is better to use a struct ldb_dn, in addition to the string. The struct ldb_dn also needs to keep the associated struct ldb_context, so we are also storing it in the structure. Resolves: SSSD#5708 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit cfc591d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
With this patch the group-memberships of the client running SSSD are included in the evaluation of the security filtering. Similar as in AD the host object is more or less handled as a user object which allows to skip some code dedicated to computers only. Resolves: SSSD#5708 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit c02e09a) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
This patch adds a new parameter set_non_posix to the user and group lookup calls. Currently the domain type is used to determine if the search should be restricted to POSIX objects or not. The new option allows to drop this restriction explicitly to look up non-POSIX objects. Resolves: SSSD#5708 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 5f63d9b) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
AD handles users and computer objects very similar and so does SSSD's GPO code when lookup up the host's group-memberships. But users and computers might be stored in different sub-tree of the AD LDAP tree and if a dedicated user search base is given with the ldap_user_search_base option in sssd.conf the host object might be in a different sub-tree. To make sure the host can still be found this patch uses the base DN of the LDAP tree when searching for hosts in the GPO code. Resolves: SSSD#5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 29a77c6)
The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: SSSD#5708 Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit a153f13)
struct sdap_search_base includes the DN as a string. To better compare the DNs it is better to use a struct ldb_dn, in addition to the string. The struct ldb_dn also needs to keep the associated struct ldb_context, so we are also storing it in the structure. Resolves: SSSD#5708 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit cfc591d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Hi,
We use GPOs to allow/deny user access to our servers. GPOs are linked to servers container and in their "Security filters" are only groups which contain necessary servers. Users can't read this GPO because of another container and security filter.
Everything works good for Windows machines - as it should be. However, on Linux machines SSSD requires that user have a permission to read this GPO.
If user can't read this GPO and we add ad_gpo_ignore_unreadable=true option, than any domain user will be able to login to servers which apply this policy. If we set ad_gpo_ignore_unreadable=false (or just remove it), all domain users can't login to servers which apply this policy.
This policy contains only server's part and is in container which shouldn't be applied to users.
OS: Centos 7
SSSD: 1.16.5
The text was updated successfully, but these errors were encountered: