Bug 1462348 - [rfe] sssd should be able to process host-based security filtering when processing active directory gpos
Summary: [rfe] sssd should be able to process host-based security filtering when proce...
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd   
(Show other bugs)
Version: 8.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: pre-dev-freeze
: 8.1
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-16 19:47 UTC by Striker Leggette
Modified: 2019-02-22 15:42 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
striker: needinfo-


Attachments (Terms of Use)

Description Striker Leggette 2017-06-16 19:47:33 UTC
[+] Description of problem:
 - Active Directory GPOs which are applied to Linux hosts per their security filtering should be properly handled by SSSD.  At the moment, GPOs can only be applied to Linux hosts which live within the OU that the GPO is linked to.

Comment 3 Jakub Hrozek 2017-06-28 18:38:25 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3443

Comment 9 Michal Zidek 2018-11-12 12:10:27 UTC
I am just adding a short summary for convenience:

On Win server machine it is possible to specify security filter for each GPO. This filter can contain users, groups and host entries. The meaning of the filter is "this GPO is applicable only if we deal with entries specified in this list".

SSSD currently ignores the host entries and only works with user and group entries so if the list contains host A and no users/groups SSSD will always evaluate the GPO as not applicable even if users log into host A.


Note You need to log in before you can comment on or make changes to this bug.