[+] Description of problem:
- Active Directory GPOs which are applied to Linux hosts per their security filtering should be properly handled by SSSD. At the moment, GPOs can only be applied to Linux hosts which live within the OU that the GPO is linked to.
I am just adding a short summary for convenience:
On Win server machine it is possible to specify security filter for each GPO. This filter can contain users, groups and host entries. The meaning of the filter is "this GPO is applicable only if we deal with entries specified in this list".
SSSD currently ignores the host entries and only works with user and group entries so if the list contains host A and no users/groups SSSD will always evaluate the GPO as not applicable even if users log into host A.