Bug 1104676

Summary: SSSD GPO-Based Access Control
Product: [Fedora] Fedora Reporter: Jaroslav Reznik <jreznik>
Component: Changes TrackingAssignee: Jaroslav Reznik <jreznik>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact: Simon Clark <simon.richard.clark>
Priority: unspecified    
Version: rawhideCC: jrieden, sgallagh, simon.richard.clark
Target Milestone: ---Flags: simon.richard.clark: fedora_requires_release_note+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ChangeAcceptedF21 SelfContainedChange
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-08 15:22:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaroslav Reznik 2014-06-04 13:34:15 UTC
This is a tracking bug for Change: SSSD GPO-Based Access Control
For more details, see: https://fedoraproject.org//wiki/Changes/SssdGpoBasedAccessControl

This change will enhance SSSD, by adding support for centrally managed host-based access control in an Active Directory (AD) environment, using Group Policy Objects (GPOs).

Comment 1 Jaroslav Reznik 2014-07-04 10:43:40 UTC
This message is a reminder that Fedora 21 Accepted Changes Freeze Deadline is on 2014-07-08 [1].

At this point, all accepted Changes should be substantially complete, and testable. Additionally, if a change is to be enabled by default, it must be so enabled at Change Freeze.

This bug should be set to the MODIFIED state to indicate that it achieved completeness. Status will be provided to FESCo right after the deadline. If, for any reasons, your Change is not in required state, let me know and we will try to find solution. For Changes you decide to cancel/move to the next release, please use the NEW status and set needinfo on me and it will be acted upon. 

In case of any questions, don't hesitate to ask Wrangler (jreznik). Thank you.

[1] https://fedoraproject.org/wiki/Releases/21/Schedule

Comment 2 Jaroslav Reznik 2014-10-07 12:23:48 UTC
This message is a reminder that Fedora 21 Change Checkpoint: 100% Code Complete Deadline (Former Accepted Changes 100% Complete) is on 2014-10-14 [1].

All Accepted Changes has to be code complete and ready to be validated in the Beta release (optionally by Fedora QA). Required bug state at this point is ON_QA.

As for several System Wide Changes, Beta Change Deadline is a point of contingency plan. All incompleted Changes will be reported to FESCo on 2014-10-15 meeting. In case of any questions, don't hesitate to ask Wrangler (jreznik).

[1] https://fedoraproject.org/wiki/Releases/21/Schedule

Comment 3 Stephen Gallagher 2014-10-14 16:14:54 UTC
The engineer who was working on this left Red Hat. I have taken it over and seen to its completion. The code is committed to upstream SSSD, though the latest bugfixes didn't make the Beta Freeze and may end up in Final. (It's code-complete, but not bug-free)

Comment 4 Jaroslav Reznik 2014-10-15 11:43:29 UTC
Thanks Stephen, code complete is enough for this stage. Moving to ON_QA.

Comment 5 Simon Clark 2014-10-27 22:08:18 UTC
I have drafted the F21 release notes entry for this change (mainly text from the F21 Changes wiki pages).  Please would you take a look at https://git.fedorahosted.org/cgit/docs/release-notes.git/tree/en-US/Security.xml and let me know if it is OK or if anything needs to be added or changed.

Thanks.

Comment 6 Stephen Gallagher 2014-10-28 12:45:10 UTC
Simon, there are two pieces that you are missing here.

1) By default, SSSD's AD provider will be in "permissive" mode, so that it won't break upgrades. Users will need to set "enforcing" mode manually (see sssd-ad(5))

2) We support much more than just the Local Logon. We also support remote logons, service logons and more. Each of these standard GPO security options can be mapped to any PAM service, allowing for users to comprehensively configure their system.

I think those are the important pieces.

Comment 7 Simon Clark 2014-10-28 21:57:49 UTC
Stephen, thank you for your feedback.  I have revised the release notes entry to take account of what you said.  Please take another look at https://git.fedorahosted.org/cgit/docs/release-notes.git/tree/en-US/Security.xml and let me know whether it is now OK or still needs further work.

Comment 8 Stephen Gallagher 2014-11-12 05:28:28 UTC
Sorry for the delay. This looks good to me. Thanks!