Hello guys,
All my sssd config is working fine, but for the last couple days I've been trying to
make the ad_gpo works but have a weird issue I cannot fix
Here is my sssd.conf
[sssd]
domains =
glop.com
config_file_version = 2
services = nss, pam
[pam]
pam_pwd_expiration_warning = 3
[
domain/glop.com]
debug_level = 8
ad_domain =
glop.com
krb5_realm =
GLOP.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
pwd_expiration_warning = 3
default_shell = /bin/bash
dyndns_upadte = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
sudo_provider = ad
ad_gpo_default_right = interactive
#ad_gpo_map_type = permit
ad_gpo_access_control = enforcing
ad_gpo_implicit_deny = True
----------------
What ever settings I used in ad_gpo_default_right, does not seems to make a difference, in
my sssd.log I always see
[ad_gpo_access_check] (0x0400): RESULTANT POLICY:
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
gpo_map_type: Remote Interactive <=========== THIS IS MY PROBLEM
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
allowed_size = 0
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
denied_size = 0
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): CURRENT
USER:
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
user_sid = S-1-5-21-1801037062-2975133201-2745703018-1106
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
group_sids[0] = S-1-5-21-1801037062-2975133201-2745703018-1137
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
group_sids[1] = S-1-5-21-1801037062-2975133201-2745703018-513
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
group_sids[2] = S-1-5-11
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): POLICY
DECISION:
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
access_granted = 1
(Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400):
access_denied = 0
My problem I believe is the first line 'gpo_map_type: Remote Interactive'
My Windows Group Policy in windows is set with
Allow log on locally => group_allowed
Deny log on locally => group deny
I have user1 member of group_allowed
I have user2 member of group_deny
At this point they can all logon, not what I expected :-(
After a little bit of research, and because the log returns ' gpo_map_type: Remote
Interactive'
Instead of using the GPO settings: 'Allow log on locally & Deny log on
locally', I then used the 'Allow log on Through remote desktop services & the
Deny log on Through remote desktop services'
And then everything works as expected
so question : Why is it working with a GPO using the 'on Through Remote desktop'
parameters, but not working with the 'Allow/Deny logon locally'
is there a way to change: gpo_map_type: Remote Interactive to gpo_map_type: Interactive
I have played with those 2 settings without success so far:
ad_gpo_default_right = interactive
ad_gpo_map_type = interactive
Thanks for your help