Bug 1221365 - [RFE] Support GPOs from different domain controllers
Summary: [RFE] Support GPOs from different domain controllers
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
Depends On: 1217559
TreeView+ depends on / blocked
Reported: 2015-05-13 20:54 UTC by Jakub Hrozek
Modified: 2016-05-10 20:22 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.2-1.el6
Doc Type: Release Note
Doc Text:
SSSD now supports GPOs from different domain controllers The System Security Services Daemon (SSSD) service has been updated to support group policy objects (GPOs) from different domain controllers.
Clone Of: 1217559
Last Closed: 2016-05-10 20:22:54 UTC
Target Upstream Version:

Attachments (Terms of Use)
Verification Logs (168.79 KB, text/plain)
2016-03-02 04:51 UTC, Dan Lavu
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0782 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-05-10 22:36:00 UTC

Description Jakub Hrozek 2015-05-13 20:54:24 UTC
+++ This bug was initially created as a clone of Bug #1217559 +++

This bug is created as a clone of upstream ticket:

We decided to deny access to fix crash in ticket #2629.
It was short time solution for GPOs from different domain controller.

@see details in thread https://lists.fedorahosted.org/pipermail/sssd-devel/2015-April/023279.html

Comment 2 Jakub Hrozek 2015-06-03 13:00:15 UTC

Comment 4 Dan Lavu 2016-03-02 04:51:39 UTC
Created attachment 1132144 [details]
Verification Logs

Comment 5 Dan Lavu 2016-03-02 04:54:21 UTC
Manually verified against sssd-1.13.3-15.el6.x86_64, full logs attached. 

#### output

ssh denied@sub.domain.com@
denied@sub.domain.com@'s password:
Connection closed by

ssh allowed@sub.domain.com@
allowed@sub.domain.com@'s password:
Last login: Tue Mar  1 23:41:15 2016 from

[allowed@sub.domain.com@sssdqe1 ~]$ hostname

#### config file

config_file_version = 2
services = nss, pam
domains = domain.com

default_shell = /bin/bash

debug_level = 0xFFF0
id_provider = ad
ad_domain = domain.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
ad_gpo_access_control = enforcing
access_provider = ad

Comment 7 errata-xmlrpc 2016-05-10 20:22:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.