-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPO: Add "thinlinc" to ad_gpo_map_remote_interactive #530
Conversation
ThinLinc is a remote desktop server, very similar to the Remote Desktop Services referenced in the Active Directory description for this policy.
Can one of the admins verify this patch? |
1 similar comment
Can one of the admins verify this patch? |
Any backports of this to stable branches would also be nice as the failure mode is rather confusing (the default logging doesn't state why the account is denied login). |
ok to test |
Hello, it is not necessary to change the internal defaults to support ThinLinc. The mapping of PAM services to GPO rules is configurable in the domain section of sssd.conf. So users of ThinLinc should have this in sssd.conf:
See man sssd-ad for more details. Michal |
Right, we found that. But it's hard to discover that you have to do that, and it would be better if things just worked by default. |
Hello, I do not think this is a good way to approach this issue. There can be hundreds of different PAM services that could be mapped to different gpo rules. We do not want to list them all in man pages and put them as defaults. It would actually worsen the situation because many admins would not want to use most of the services (I think this is also the case for thinlinc pam service) and would end up removing them from the defaults using the '-pam_service_name' syntax in the gpo_map_* options. This is exactly why the mappings are configurable. If it was difficult to find out the documentation for gpo_map_* settings then I think the real issue is that our documentation is not easy to use (and unfortunately I do think this is the case and we need to improve this). Could you suggest what we could do to improve the documentation? Was there something specific that was confusing or something that you would like to add? I really do not know how people use the documentation or how they look for it (man, google, blog posts?). Your feedback in this area would be valuable. Thanks, |
I don't fully agree with you here. This setting is about mapping what kind of service each PAM service is. That is a statement of fact, not policy. Yes, people might use that to also control which services are allowed but that is not its stated purpose. So from that point of view this list should ideally include every service out there, properly mapped to the correct category.
The issue is with the logging. The man page was fairly clear once I figured out what to look for. The standard error message gives absolutely no hint as to why access is denied:
The debug message at least says that it has to do with GPOs and services, but no clue beyond that:
I would have preferred if the standard log message informed me that access was denied because the service thinlinc is not mapped to any GPO rule. |
I opened https://pagure.io/SSSD/sssd/issue/3664 to track the logging issue. Thank you @CendioOssman for this feedback. About putting the thinlinc PAM service to the default mapping, I still think it should not be there for the reasons I mentioned before (and I really do not like the idea of having all possible PAM services in the default maps, IMO there should be only PAM services available by default in common distributions / or really common PAM services), but I may be wrong and would like to ask other team members about their opinion on this. So, @jhrozek @pbrezina @sumit-bose @fidencio , what do you guys think about this? Michal |
We may think of a mechanism to add a comment or a file somewhere we can read, so that software can distribute their GPO mappings in their RPMs/DEBs/etc.. instead of us having to patch SSSD all the time or admins having to list mapping on their own. |
I saw a |
Dropping a config snippet in /etc/sssd/conf.d/ with the option would be the way to go ... and I'd like to see it being done by, for instance, the package that wants/needs this option (thinlinc in this case). However, I can see at least one issue here that has to be solved by SSSD before actually relying on it (or please, someone correct me in case I'm mistaken): The domain section usually looks like: [domain/"whatever you want to put here"] ... and it may be problematic ... as the package wouldn't know what's the "whatever you want to put here" to create a functional snippet. I'll wait for the opinion from other developers and then we can open a bug and have a discussion (rather there, in the issue, than here, in order to keep it easily tracked) about what would be the easiest/fastest way to have it done. Does this make sense? |
The default should be a global option, not per domain. |
We have discussed this a little bit on #sssd and, AFAIU (@simo5, please correct me if I got something wrong) the ideal situation would be:
@SSSD/developers, @simo5's suggestion sounds quite reasonable to me. Would you guys like to bring up as well? |
I'm confused, what do you mean by a global option? One in the Would it be easier to add the discussion or some most important parts of it to this PR or to a ticket so that it's easy to follow the logic? |
I'm adding the discussion here:
And the discussion can be added to the ticket as soon as we specifically have a ticket for this and/or decide to use the documentation ticket for this (I'll leave this decision to @mzidek-rh). |
@simo5 : I understand why you want to set defaults in the [sssd] section and it makes sense to me. But I also think we may end up finding similar situations in the future (need defaults in [sssd] with the ability to override it in [domain/..] section) and I do not like it much, we basically double the same option. Not just for this use case with gpo rule to pam service mappings, but for making the config file snippets more powerful, we could implement something like What do you think? |
No strong opinion beside bikeshedding on the name: |
@simo5 Thanks everyone for your input. |
Actually, I do not have permissions to close this PR :D So, someone who does have it, please close this PR :) |
ThinLinc is a remote desktop server, very similar to the Remote Desktop
Services referenced in the Active Directory description for this policy.