Bug 1221365 - [RFE] Support GPOs from different domain controllers
Summary: [RFE] Support GPOs from different domain controllers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On: 1217559
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-13 20:54 UTC by Jakub Hrozek
Modified: 2016-05-10 20:22 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.2-1.el6
Doc Type: Release Note
Doc Text:
SSSD now supports GPOs from different domain controllers The System Security Services Daemon (SSSD) service has been updated to support group policy objects (GPOs) from different domain controllers.
Clone Of: 1217559
Environment:
Last Closed: 2016-05-10 20:22:54 UTC
Target Upstream Version:


Attachments (Terms of Use)
Verification Logs (168.79 KB, text/plain)
2016-03-02 04:51 UTC, Dan Lavu
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0782 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-05-10 22:36:00 UTC

Description Jakub Hrozek 2015-05-13 20:54:24 UTC
+++ This bug was initially created as a clone of Bug #1217559 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2645

We decided to deny access to fix crash in ticket #2629.
It was short time solution for GPOs from different domain controller.

@see details in thread https://lists.fedorahosted.org/pipermail/sssd-devel/2015-April/023279.html

Comment 2 Jakub Hrozek 2015-06-03 13:00:15 UTC
master:
    c9db9d3e3d1a51117a64b366ec866bbeb009c57f
    31bafc0d6384a30859aa18f3bd22275aec6ee2ed

Comment 4 Dan Lavu 2016-03-02 04:51:39 UTC
Created attachment 1132144 [details]
Verification Logs

Comment 5 Dan Lavu 2016-03-02 04:54:21 UTC
Manually verified against sssd-1.13.3-15.el6.x86_64, full logs attached. 

#### output

ssh denied@sub.domain.com@192.168.76.3
denied@sub.domain.com@192.168.76.3's password:
Connection closed by 192.168.76.3

ssh allowed@sub.domain.com@192.168.76.3
allowed@sub.domain.com@192.168.76.3's password:
Last login: Tue Mar  1 23:41:15 2016 from 192.168.71.16

[allowed@sub.domain.com@sssdqe1 ~]$ hostname
sssdqe1.domain.com

#### config file


[sssd]
config_file_version = 2
services = nss, pam
domains = domain.com

[nss]
default_shell = /bin/bash

[domain/domain.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = domain.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
ad_gpo_access_control = enforcing
access_provider = ad

Comment 7 errata-xmlrpc 2016-05-10 20:22:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html


Note You need to log in before you can comment on or make changes to this bug.