Bug 1203643

Summary: GPO access control looks for computer object in user's domain only
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: dlavu, grajaiya, jgalipea, jhrozek, kbanerje, lslebodn, mkosek, mzidek, pbrezina, preichl, sssd-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.4-31.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: 1203642 Environment:
Last Closed: 2015-07-22 06:43:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1203642    
Bug Blocks:    

Description Jakub Hrozek 2015-03-19 10:20:17 UTC 
+++ This bug was initially created as a clone of Bug #1203642 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2606

The GPO access control code receives the user's domain as input and uses it to look up the computer object. That doesn't work if the user is from a subdomain, because we'd miss the computer object.

We need to look up the computer object in the domain we're enrolled with. We can use the GPO connection here, maybe, my initial testing shows that the attributes we're interested with are replicated to GC.

We also need to test with a computer enrolled with a child domain and login with user from parent domain to make sure the GPOs applied to the parent domain or OU are found correctly. Again, GC might be helpful here.
Comment 3 Dan Lavu 2015-06-11 13:55:38 UTC 
This has been verified against sssd-ad-1.12.4-42.el6.x86_64 

ssh administrator@192.168.77.99
administrator@192.168.77.99's password: 
Last login: Thu Jun 11 08:55:37 2015 from daredevil.lab.runlevelone.lan
Could not chdir to home directory /home/example.com/administrator: No such file or directory
-bash-4.1$ exit
logout
Connection to 192.168.77.99 closed.

ssh administrator.com.77.99
administrator@192.168.77.99's password: 
Last login: Thu Jun 11 08:52:23 2015 from daredevil.lab.runlevelone.lan
Could not chdir to home directory /home/subdomain.example.com/administrator: No such file or directory
Comment 5 errata-xmlrpc 2015-07-22 06:43:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html