Bug 1221365

Summary: [RFE] Support GPOs from different domain controllers
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 6.6CC: dlavu, grajaiya, jgalipea, jhrozek, kbanerje, lslebodn, mkosek, mzidek, pbrezina, preichl, salmy, sgoveas, sssd-maint
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.2-1.el6 Doc Type: Release Note
Doc Text:
SSSD now supports GPOs from different domain controllers The System Security Services Daemon (SSSD) service has been updated to support group policy objects (GPOs) from different domain controllers.
 Story Points: ---
Clone Of: 1217559 Environment:
Last Closed: 2016-05-10 20:22:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1217559    
Bug Blocks:    
Attachments:
Description Flags
Verification Logs none

Description Jakub Hrozek 2015-05-13 20:54:24 UTC 
+++ This bug was initially created as a clone of Bug #1217559 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2645

We decided to deny access to fix crash in ticket #2629.
It was short time solution for GPOs from different domain controller.

@see details in thread https://lists.fedorahosted.org/pipermail/sssd-devel/2015-April/023279.html
Comment 2 Jakub Hrozek 2015-06-03 13:00:15 UTC 
master:
    c9db9d3e3d1a51117a64b366ec866bbeb009c57f
    31bafc0d6384a30859aa18f3bd22275aec6ee2ed
Comment 4 Dan Lavu 2016-03-02 04:51:39 UTC 
Created attachment 1132144 [details]
Verification Logs
Comment 5 Dan Lavu 2016-03-02 04:54:21 UTC 
Manually verified against sssd-1.13.3-15.el6.x86_64, full logs attached. 

#### output

ssh denied.com.76.3
denied.com.76.3's password:
Connection closed by 192.168.76.3

ssh allowed.com.76.3
allowed.com.76.3's password:
Last login: Tue Mar  1 23:41:15 2016 from 192.168.71.16

[allowed.com@sssdqe1 ~]$ hostname
sssdqe1.domain.com

#### config file


[sssd]
config_file_version = 2
services = nss, pam
domains = domain.com

[nss]
default_shell = /bin/bash

[domain/domain.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = domain.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
ad_gpo_access_control = enforcing
access_provider = ad
Comment 7 errata-xmlrpc 2016-05-10 20:22:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html