[sssd PR#5241][comment] GPO: respect ad_gpo_implicit_deny when evaluation rules
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
pbrezina commented:
"""
I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access to the Administrator. Administrator is allowed to login as expected, vagrant is not able to login either way regardless on the option settings because an applicable gpo is found and the user is not explicitly allowed.
```
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Storing setting: key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [(null)]
(2020-08-21 15:36:40): [be[ad.vm]] [parse_policy_setting_value] (0x0400): No value for key [SeDenyRemoteInteractiveLogonRight] found in gpo result
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): RESULTANT POLICY:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_size = 1
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_sids[0] = S-1-5-21-433998187-2822908608-1404606238-500
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): denied_size = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): CURRENT USER:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-433998187-2822908608-1404606238-1000
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-433998187-2822908608-1404606238-513
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): POLICY DECISION:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_granted = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_denied = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access check failed: [1432158236](Host Access Denied)
```
The patch does not change the behavior.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5241#issuecomment-678295162
3 years, 8 months