On Wed, Aug 10, 2016 at 12:02:18PM +0300, Alexander Bokovoy wrote:
On Tue, 09 Aug 2016, Michal Židek wrote:
> Summary for Alexander (in CC):
> - Regarding processing GPOs on the client.
> - If groupPolicyContainer in AD has attribute
> gPCMachineExtensionNames that contains only whitespaces, SSSD
> fails to process GPOs and denies access to users
> - if the gPCMachineExtensionNames is missing, it is Ok and
> SSSD skips such GPO (because we are only interested in
> Machine extensions)
> - We have customer that has thousands of GPOs stored in AD and
> some of them have just ' ' (space) in the gPCMachineExtensionNames
> attribute. The AD administrators say that they created the GPOs
> using the GUI provided by AD.
> - Treating the gPCMachineExtensionNames with just whitespaces the
> same way as if the gpcMachineExtensionNames was missing completely
> fixed the issue for the customer.
>
> - Now, it would be good to support the fix with some links to
> documentation.
>
> - I believe we should go with that fix, but could not find any
> documentation that would explicitly say something about just
> whitespaces in the gpcMachineExtensionNames
> - Gunter could also not find documentation that would say something
> about just whitespaces in that attribute, but believes that we should
> use the fix and skip such attributes.
>
> Alexander, can you try to find something in the MSDN documentation,
> that would support our fix? If not, then just what is your opinion?
You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
processing gPCMachineExtensionNames, "Group Policy processing terminates
at the first <CSE GUIDn> out of sequence."
Since ' ' (space only) does not fall into defined syntax for
gPCMachineExtensionNames, this Group Policy processing is stopped and
its CSE GUIDs are set to 'empty list'.
Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
------------------------------------------------------------------------
The Group Policy client MUST evaluate the subset of the abstract element
Filtered GPO list separately for each Group Policy extension by
including in the subset only those GPOs whose gPCUserExtensionNames (for
user policy mode) or gPCMachineExtensionNames (for computer policy mode)
attributes contain CSE GUID that correspond to the Group Policy
extension. If the CSE GUID corresponding to the Group Policy extension
is present in Extension List, it is invoked using the
Implementation Identifier field. Applicability is determined as
specified in section 3.2.1.5. The Group Policy Registry Extension MUST
always execute first. All other applicable Group Policy extensions in
the Extension List MUST be loaded and executed in Extension List order.
A failure in any Group Policy extension sequence MUST NOT affect the
execution of other Group Policy extensions.
-------------------------------------------------------------------------
I think we can practically treat wrong content of
gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
GPO to pass through the Filtered GPO list. Thus, the GPO would be
ignored.
Michal, if you add Alexander's response into the commit message, I will
push the patch.