On Tue, 2015-09-15 at 21:19 +0200, Davor Vusir wrote:
I'm laborating with using GPO to restrict logon. Nothing fancy, no
modifications made to GPO-parts of sssd.conf but just out-of-the-
The GPO is set to be enforced.
The idea is to let at least two categories of user accounts to be
to login via ssh; category 1 must use public/private key
and category 2 uses Kerberos. The groups "pubKeyUsers" and
"KerberosUsers" are both added to "Allow log on through Terminal
The "Authenticated Users"-group is being added by default when
a GPO and logon is working as intended; "pubKeyUsers" must use key
and "KerberosUsers" uses Kerberospassword. Users with no membership
either group are denied logon.
When replacing "Authenticated users"-group with groups containing
server account and groups "pubKeyUsers" and "KerberosUsers" to the
Security Filtering it breaks. Members of "pubKeyUsers" needs to
authenticate through Kerberospassword (the public/private key
authentication is ignored), "KerberosUsers" are allowed as well as
other domain user.
I have also tried "loopback processing" as no user account have any
GPO's applied, but servers only.
It seems that SSSD doesn't honor Security Filtering but for
Users"-group only. Is that true? How is SSSD handling Security
Handling of the Security Filtering GPO features hasn't been
implemented. We really only handle the relatively simple "Allow logon
*" functionality. Please file an enhancement request to support