URL:
https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
pbrezina commented:
"""
I can't reproduce this. I have two users 1) Administrator, 2) vagrant. I allow access
to the Administrator. Administrator is allowed to login as expected, vagrant is not able
to login either way regardless on the option settings because an applicable gpo is found
and the user is not explicitly allowed.
```
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Storing
setting: key [SeRemoteInteractiveLogonRight] value
[*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key
[SeRemoteInteractiveLogonRight] value [*S-1-5-21-433998187-2822908608-1404606238-500]
(2020-08-21 15:36:40): [be[ad.vm]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key
[SeDenyRemoteInteractiveLogonRight] value [(null)]
(2020-08-21 15:36:40): [be[ad.vm]] [parse_policy_setting_value] (0x0400): No value for key
[SeDenyRemoteInteractiveLogonRight] found in gpo result
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): RESULTANT POLICY:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): gpo_map_type: Remote
Interactive
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_size = 1
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): allowed_sids[0] =
S-1-5-21-433998187-2822908608-1404606238-500
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): denied_size = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): CURRENT USER:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): user_sid =
S-1-5-21-433998187-2822908608-1404606238-1000
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[0] =
S-1-5-21-433998187-2822908608-1404606238-513
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): group_sids[1] =
S-1-5-11
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): POLICY DECISION:
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_granted = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_access_check] (0x0400): access_denied = 0
(2020-08-21 15:36:40): [be[ad.vm]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access
check failed: [1432158236](Host Access Denied)
```
The patch does not change the behavior.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5241#issuecomment-678295162