This is a tracking bug for Change: SSSD GPO-Based Access Control
For more details, see: https://fedoraproject.org//wiki/Changes/SssdGpoBasedAccessControl
This change will enhance SSSD, by adding support for centrally managed host-based access control in an Active Directory (AD) environment, using Group Policy Objects (GPOs).
This message is a reminder that Fedora 21 Accepted Changes Freeze Deadline is on 2014-07-08 .
At this point, all accepted Changes should be substantially complete, and testable. Additionally, if a change is to be enabled by default, it must be so enabled at Change Freeze.
This bug should be set to the MODIFIED state to indicate that it achieved completeness. Status will be provided to FESCo right after the deadline. If, for any reasons, your Change is not in required state, let me know and we will try to find solution. For Changes you decide to cancel/move to the next release, please use the NEW status and set needinfo on me and it will be acted upon.
In case of any questions, don't hesitate to ask Wrangler (jreznik). Thank you.
This message is a reminder that Fedora 21 Change Checkpoint: 100% Code Complete Deadline (Former Accepted Changes 100% Complete) is on 2014-10-14 .
All Accepted Changes has to be code complete and ready to be validated in the Beta release (optionally by Fedora QA). Required bug state at this point is ON_QA.
As for several System Wide Changes, Beta Change Deadline is a point of contingency plan. All incompleted Changes will be reported to FESCo on 2014-10-15 meeting. In case of any questions, don't hesitate to ask Wrangler (jreznik).
The engineer who was working on this left Red Hat. I have taken it over and seen to its completion. The code is committed to upstream SSSD, though the latest bugfixes didn't make the Beta Freeze and may end up in Final. (It's code-complete, but not bug-free)
Thanks Stephen, code complete is enough for this stage. Moving to ON_QA.
I have drafted the F21 release notes entry for this change (mainly text from the F21 Changes wiki pages). Please would you take a look at https://git.fedorahosted.org/cgit/docs/release-notes.git/tree/en-US/Security.xml and let me know if it is OK or if anything needs to be added or changed.
Simon, there are two pieces that you are missing here.
1) By default, SSSD's AD provider will be in "permissive" mode, so that it won't break upgrades. Users will need to set "enforcing" mode manually (see sssd-ad(5))
2) We support much more than just the Local Logon. We also support remote logons, service logons and more. Each of these standard GPO security options can be mapped to any PAM service, allowing for users to comprehensively configure their system.
I think those are the important pieces.
Stephen, thank you for your feedback. I have revised the release notes entry to take account of what you said. Please take another look at https://git.fedorahosted.org/cgit/docs/release-notes.git/tree/en-US/Security.xml and let me know whether it is now OK or still needs further work.
Sorry for the delay. This looks good to me. Thanks!