SSSD incorrectly works with AD GPO during user login

[qwert1qwert]

Hi,

We use GPOs to allow/deny user access to our servers. GPOs are linked to servers container and in their "Security filters" are only groups which contain necessary servers. Users can't read this GPO because of another container and security filter.
Everything works good for Windows machines - as it should be. However, on Linux machines SSSD requires that user have a permission to read this GPO.
If user can't read this GPO and we add ad_gpo_ignore_unreadable=true option, than any domain user will be able to login to servers which apply this policy. If we set ad_gpo_ignore_unreadable=false (or just remove it), all domain users can't login to servers which apply this policy.

This policy contains only server's part and is in container which shouldn't be applied to users.

OS: Centos 7
SSSD: 1.16.5

[alexey-tikhonov]

Hi,

could you please test if this scenario works for you with 2.x based SSSD? (Modern Fedora, CentOS stream, etc)

[qwert1qwert]

I'll test it on the Weekend

[qwert1qwert]

Looks like on last versions everything works good:

• Centos Stream
• sssd 2.5.1

Is it possible to install sssd 2.5.1 on Centos 7? Our main Linux OS is still Centos 7.

[qwert1qwert]

Sorry, I was mistaken. It doesn't work too. But in this case any domain user can't login at all.

[alexey-tikhonov]

Unfortunately I'm not fluent in GPO.
Could you please comment if this is relevant to #5181 and #5561?

[qwert1qwert]

No, it is different.
Let me try to explain more detailed.

1. For example, we such organization units structure:
   domain root
   |-company
   |--servers
   |--users

2. We have server server1 under "servers" OU and user1 under "users" OU.

3. Any OU may have linked GPO(s).

4. Servers under OU "server" will try to read and apply all GPOs under "domain root", "company", "servers". Of course they will read and apply only GPO with proper permissions. Servers will use only "Computer configuration" part of GPOs. Users may have permissions on these GPOs or may not - it doesn't matter.

5. Users under OU "users" will try to read and apply all GPOs under "domain root", "company", "users". The server must be able to read all GPOs which are applicable for user, but there system will apply only "User configuration" part of GPOs.

When server1 logins to domain, it reads appropriate GPOs and see which domain groups have permissions to login remotely/locally on it from "Computer configuration" part of GPOs. When user1 logins to domain, server1 gets and applies for him necessary GPOs. If the same items are configured in "Computer configuration" and "User configuration", than computer part has more priority.

So, server and user in this scenario may have common GPOs (under "domain root", "company"), some GPOs will be applied only while server itself logons to domain (under "servers") and some of GPOs will be applied only during user logon (under "users").

That is how it works for Windows-based machines. In Linux SSSD tries to apply during user logon GPOs under OU "servers" which shouldn't be touched by the system at this moment at all.

[sumit-bose]

Hi,

thanks for the detailed explanation. Do I understand correctly that you removed the default permissions for 'Authenticated Users' from the GPOs in 'servers' and replaced it with something which only applies to host objects?

bye,
Sumit

[qwert1qwert]

Hi,

Yes, it's correct. We want to apply the GPO only to specific server groups.

[panlinux]

@qwert1qwert have you tried the ad_gpo_ignore_unreadable option? If I understood it correctly, when the user logs in, sssd is trying to apply the server gpos, but those can't be read with the user credentials, and shouldn't be applied anyway, because they were applied already when the "server logs in"?

[panlinux]

Sorry, you said you tried it, never mind.

[panlinux]

@qwert1qwert could you be affected by https://support.microsoft.com/en-us/topic/ms16-072-security-update-for-group-policy-june-14-2016-7570425d-d460-3003-b2ac-a464c874725d? What is the security filtering you have on each group policy object, did you add Domain Computers as suggested in that advisory?

[qwert1qwert]

No, it is completely different.
I don't have user's GPOs, only computer's. It allows to login exact group of users but it is computer's part of GPO.

[alexey-tikhonov]

Hi @qwert1qwert,
is it still an issue for you? Did you figure out anything else worth mentioning here?

[sumit-bose]

Hi,

I think I have an idea what is wrong here. Currently SSSD is only checking for the host itself but does not include the groups the host is a member of in the evaluation (in contrast to the groups the user is a member of).

@qwert1qwert, if you still have a chance to check this I wonder if you can add the host itself to the Security Filtering together with the hostgroup and check if it is then working as expected.

bye,
Sumit

[alexey-tikhonov]

Pushed PR: #7131

• sssd-2-8
  • 0338470 - sdap: add set_non_posix parameter
  • 597d193 - sysdb: remove sysdb_computer.[ch]
  • 5635a8c - ad: gpo evalute host groups
  • 2e02801 - LDAP: make groups_by_user_send/recv public

[alexey-tikhonov]

Pushed PR: #7145

• master
  • a153f13 - sdap: add naming_context as new member of struct sdap_domain
  • 29a77c6 - sdap: add search_bases option to groups_by_user_send()
• sssd-2-8
  • 04c0279 - sdap: add naming_context as new member of struct sdap_domain
  • 151ba69 - sdap: add search_bases option to groups_by_user_send()
• sssd-2-9
  • 6a8e60d - sdap: add naming_context as new member of struct sdap_domain
  • a7621a5 - sdap: add search_bases option to groups_by_user_send()

[alexey-tikhonov]

Pushed PR: #7211

• sssd-2-8
  • 3800473 - SDAP: Include struct ldb_dn in struct sdap_search_base