On Thu, Jun 23, 2022 at 3:19 PM Fisher, Philip phil.fisher@dxc.com wrote:
Hello SSSD people
Is there a way to run (on RHEL 8 specifically) a command or query information so that a logged in (authorised) user can see the GPOs that are active for the session? I have tried Mr. Goggle without success.
I don't think there is a suitable command that SSSD provides. Maybe Samba suit does? I don't know.
SSSD caches downloaded GPOs in `/var/lib/sss/gpo_cache/`, but those aren't intended for general human consumption.
This information I realise may be obtained from the actual AD server but in general this access is not available hence this query.
Thanks.
-- Phil J Fisher
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Alexey
I think samba-tool has a method but only when the server is acting as an AD server (which I believe RH does not support as it happens). But the things I am involved in have RHEL servers as AD “clients” so maybe it will be a case of hacking some form of query on the cache you mention.
Thanks for the response.
Phil
-- Phil J Fisher UNIX Technology Consultant DXC Technology
phil.fisher@dxc.commailto:phil.fisher@dxc.com
DXC.com
From: Alexey Tikhonov atikhono@redhat.com Sent: 23 June 2022 15:50 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD-users: querying GPO list
On Thu, Jun 23, 2022 at 3:19 PM Fisher, Philip <phil.fisher@dxc.commailto:phil.fisher@dxc.com> wrote: Hello SSSD people
Is there a way to run (on RHEL 8 specifically) a command or query information so that a logged in (authorised) user can see the GPOs that are active for the session? I have tried Mr. Goggle without success.
I don't think there is a suitable command that SSSD provides. Maybe Samba suit does? I don't know.
SSSD caches downloaded GPOs in `/var/lib/sss/gpo_cache/`, but those aren't intended for general human consumption.
This information I realise may be obtained from the actual AD server but in general this access is not available hence this query.
Thanks.
-- Phil J Fisher
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/https://clicktime.symantec.com/3C1jyUU2UB8SoWZk4fAjNVU7VN?u=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelineshttps://clicktime.symantec.com/35uMvvGa2BDNWwdNGFyw3CZ7VN?u=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...https://clicktime.symantec.com/37Nw16nGVG8488jc6t6APB17VN?u=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructurehttps://clicktime.symantec.com/3TXgMGV6zP84JkShfAct4ES7VN?u=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure
Am Thu, Jun 23, 2022 at 04:49:34PM +0200 schrieb Alexey Tikhonov:
On Thu, Jun 23, 2022 at 3:19 PM Fisher, Philip phil.fisher@dxc.com wrote:
Hello SSSD people
Is there a way to run (on RHEL 8 specifically) a command or query information so that a logged in (authorised) user can see the GPOs that are active for the session? I have tried Mr. Goggle without success.
I don't think there is a suitable command that SSSD provides. Maybe Samba suit does? I don't know.
Hi,
yes, currently SSSD does not provide such a tool. And currently SSSD might not even read the GPOs you are looking for because SSSD currently only read GPOs for its own usage for access control.
You have asked for 'a logged in (authorised) user can see the GPOs that are active for the session' which sounds like you are looking for desktop policies. For this SSSD supports fleet commander, see e.g. https://sssd.io/design-pages/fleet_commander_integration.html.
bye, Sumit
SSSD caches downloaded GPOs in `/var/lib/sss/gpo_cache/`, but those aren't intended for general human consumption.
This information I realise may be obtained from the actual AD server but in general this access is not available hence this query.
Thanks.
-- Phil J Fisher
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Sumit
I don't think so for us. We only access via SSH logins; the only desktop is an RDP session where GPOs are available via usual means. However I will check out the stuff you pointed me at, thanks.
-- Phil J Fisher
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: 28 June 2022 06:46 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD-users: querying GPO list
Am Thu, Jun 23, 2022 at 04:49:34PM +0200 schrieb Alexey Tikhonov:
On Thu, Jun 23, 2022 at 3:19 PM Fisher, Philip phil.fisher@dxc.com wrote:
Hello SSSD people
Is there a way to run (on RHEL 8 specifically) a command or query information so that a logged in (authorised) user can see the GPOs that are active for the session? I have tried Mr. Goggle without success.
I don't think there is a suitable command that SSSD provides. Maybe Samba suit does? I don't know.
Hi,
yes, currently SSSD does not provide such a tool. And currently SSSD might not even read the GPOs you are looking for because SSSD currently only read GPOs for its own usage for access control.
You have asked for 'a logged in (authorised) user can see the GPOs that are active for the session' which sounds like you are looking for desktop policies. For this SSSD supports fleet commander, see e.g. https://clicktime.symantec.com/37NKJytp7XW8GAuZfmfFcNk6xn?u=https%3A%2F%2Fss....
bye, Sumit
SSSD caches downloaded GPOs in `/var/lib/sss/gpo_cache/`, but those aren't intended for general human consumption.
This information I realise may be obtained from the actual AD server but in general this access is not available hence this query.
Thanks.
-- Phil J Fisher
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/38RbscFqCaTJcJ9dbqFpiCV6xn?u=https%3A%2F%2Fdo... List Guidelines: https://clicktime.symantec.com/3McR6vAcvFWdbFLqf5ZcmZv6xn?u=https%3A%2F%2Ffe... List Archives: https://clicktime.symantec.com/3JrXyNyrghDvZK5m9PZBjds6xn?u=https%3A%2F%2Fli... Do not reply to spam on the list, report it: https://clicktime.symantec.com/3KYZEhHULGhp6JLhs9sxC9K6xn?u=https%3A%2F%2Fpa...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/38RbscFqCaTJcJ9dbqFpiCV6xn?u=https%3A%2F%2Fdo... List Guidelines: https://clicktime.symantec.com/3McR6vAcvFWdbFLqf5ZcmZv6xn?u=https%3A%2F%2Ffe... List Archives: https://clicktime.symantec.com/3JrXyNyrghDvZK5m9PZBjds6xn?u=https%3A%2F%2Fli... Do not reply to spam on the list, report it: https://clicktime.symantec.com/3KYZEhHULGhp6JLhs9sxC9K6xn?u=https%3A%2F%2Fpa...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/38RbscFqCaTJcJ9dbqFpiCV6xn?u=https%3A%2F%2Fdo... List Guidelines: https://clicktime.symantec.com/3McR6vAcvFWdbFLqf5ZcmZv6xn?u=https%3A%2F%2Ffe... List Archives: https://clicktime.symantec.com/3JrXyNyrghDvZK5m9PZBjds6xn?u=https%3A%2F%2Fli... Do not reply to spam on the list, report it: https://clicktime.symantec.com/3KYZEhHULGhp6JLhs9sxC9K6xn?u=https%3A%2F%2Fpa...
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
sssd-users@lists.fedorahosted.org