On 06/20/2018 04:16 PM, Mote, Todd wrote:
In my testing, I found that it does not appear that Access control
GPOs are cumulative. So, the GPO on the OU closest to the computer object will win. So I
put a general GPO at the top of the structure and have just instructed down-OU admins that
when they write GPOs for their OUs they have to include what the top level one has in it,
in addition to what they need to add, to ensure global access continues for the "uber
admins" and they can add access to service accounts and other service level users.
It's a drag, but it seems to work.
This is true. And it is also very confusing for many admins.
But you actually do not need to copy the entire GPO from
the above OU/Domain level. Only rules that are specified
again in the GPOs (for example adding a user to "Allow log
on locally" rule, you need to copy the whole "Allow log
on locally" list from the GPO from above level and then
add a user to the list, but if the "Deny log on locally"
does not change in the new GPO than you do not need to
copy it from the above GPO). So the GPOs are "sort of"
cumulative.
But I agree that copying te whole GPO and expanding/changing
it for the lower level OUs is better, because it is much
easier to debug.
-----Original Message-----
From: Max DiOrio <mdiorio(a)gmail.com>
Sent: Wednesday, June 20, 2018 9:08 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: [SSSD-users] Re: Multiple GPOs and order processing issue
Haven’t heard back from anyone on this issue, I know it’s been a while, but we’re still
seeing it, and it’s getting to be much more of an issue as we start migrating production
servers over to the AD domain.
How can we use multiple group policies to define security rights? Or do I need to do a
single group policy per server, which seems awful.
> On May 29, 2018, at 12:18 PM, Max DiOrio <mdiorio(a)gmail.com> wrote:
>
> Attached are the logs. It seems that even after removing the GPO’s, it is still
being blocked from logging in.
>
> From secure.
>
> May 29 12:17:24 la-1potpap01 sshd[8292]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.85.144.87 user=a-mdiorio May 29 12:17:25 la-1potpap01
> sshd[8292]: pam_sss(sshd:account): Access denied for user a-mdiorio: 4
> (System error) May 29 12:17:25 la-1potpap01 sshd[8292]: Failed
> password for a-mdiorio from 10.85.144.87 port 60267 ssh2 May 29
> 12:17:25 la-1potpap01 sshd[8292]: fatal: Access denied for user
> a-mdiorio by PAM account configuration [preauth]
>
> <Archive.zip>
>
>> On May 28, 2018, at 6:49 AM, Michal Židek <mzidek(a)redhat.com> wrote:
>>
>> Hi!
>>
>> From your description the setup should work. Can you send full
>> (sanitized) logs? Mostly the domain and gpo_child logs are interesting here, but
for simplicity you can send all logs:
>> - stop sssd
>> - remove cached files in:
>> rm -r /var/lib/sss/gpo_cache/*
>> rm -r /var/lib/sss/db/*
>> - set debug_level in domain section in /etc/sssd/sssd.conf to 10
>> - reproduce issue
>> - send logs from /var/log/sssd/
>>
>> Additional questions:
>> - if you remove the single computer policy, does the "generic" policy
>> apply as expected to the affected computer in question?
>>
>> Michal
>>
>> On 05/25/2018 08:58 PM, Max DiOrio wrote:
>>> Hi!
>>> So it seems that I’m having an issue with GPO processing. I have an OU
(Servers/Infrastructure) that contains a few servers. In this OU, I have a few GPO’s
applied.
>>> Once is “generic” that should applied to every server in this OU - which
allows Remote Interactive Login and Logon Locally to Domain Admins.
>>> I also have a GPO that applies to a specific server in this out that grants
access to a service account to log on to terminal services and log on as a service. For
this GPO, I have a security filter to the specific computer object it is supposed to apply
to - and I think this is the root of my issue.
>>> The GPOs are listed
>>> 1) Infrastructure servers Access Control (that should apply to them all)
>>> 2) Single Computer policy for service account When looking at
>>> the sssd_domain logs, I can see that it’s processing both GPO’s, but only
adding the account from policy 2 to the ad_gpo_access_check, meaning domain admins can’t
log in to either server, only the service account can to both of them.
>>> So we have multiple issues:
>>> 1) It’s not combining the GPO access policies, but only taking the
>>> last one found
>>> 2) It’s not abiding by the Security Filtering on the GPO So in my
>>> case - how would I go about making this work? Would I need a separate GPO
for each server I want to apply individual rights to and explicitly include the domain
admins group in it, then using delegation allow the single computer read and deny read of
every other computer?
>>> Seems like this also means you can’t do GPO inheritance if it only takes the
last found GPO and ignores the settings configured in previous GPO’s it checked.
>>> Any ideas?
>>> Thanks!
>>> Max
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
>>> unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedor
>>>
ahosted.org/message/JJFCF6EEUAHUYUVPEUUPWSJUEQP65R6B/
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
>> unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedora
>>
hosted.org/message/JXSLOZTYNKPD3Z3RT5BP5EQVEAD45ZRS/
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...