On Sun, Aug 10, 2014 at 08:18:46PM -0400, Yassir Elley wrote:
----- Original Message -----
> On Thu, Jul 31, 2014 at 02:40:02PM -0400, Yassir Elley wrote:
> > Hi,
> >
> > The attached patch adds support for gpo processing in offline mode. While
> > the code for online mode uses LDAP to determine which gpo-guids are
> > applicable (and then uses SMB to retrieve policy files), the code in
> > offline mode simply retrieves all gpo-guids from the cache (and then
> > retrieves locally cached per-gpo-guid policy files). Note that neither
> > version checking nor the ad_gpo_cache_timeout option are relevant when in
> > offline mode.
> >
> > Unresolved issues
> > * if there are no gpo-guids in the cache, the code currently denies
> > access; i suspect we should be allowing access instead; agree?
>
> If all the request ran into completion /and/ yet we found no GPOs, then
> it means there are no GPOs on the server side, right?
If we found no GPOs after running to completion, then it means that
there are no *applicable* GPOs on the server side (taking into account the
hostname, inheritance logic, dacl, supported-cse, etc). That's all that
matters. There may well be other GPOs on the server side that were *not*
applicable, but we don't care about those.
Right, then I agree with allowing access.
>
> If that's true, then I agree. I don't think there is any equivalent of
> IPA's allow_all, correct?
I think IPA's allow_all is simply the default HBAC rule that allows
all access. For GPOs, in the absence of any Allow Logon Locally policy
setting, the default is also to allow all access. In the case of IPA,
as soon as the allow_all rule is removed, then the semantics become deny
all (except for those allowed by additional rules). Similarly, as soon as
a single user/group is added to the Allow Logon Locally policy setting,
the semantics become deny all (except for the added users/groups).
Yes, exactly.
>
> > * i don't think offline callbacks are needed, but i'm unclear about
whether
> > online callbacks are needed; i suspect they are not needed for the access
> > provider (b/c I don't see them being used by the ad_access_filter code);
> > should we trigger a fresh round of gpo processing when transitioning from
> > offline to online?
>
> This is something I'll test, but I suspect that we don't need additional
> callbacks. Usually there would be authentication attempt before the
> access control that would flip the offline state to online.
>
> > >
Thanks for the patches, these work for me.
ACK.