On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is
working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for both
local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated
Users.
as you can see, I set access_control back to permissive, so I should see
some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can
work out some details.
First, do you have an actual AD server around to test with? In the past
we've seen bugs with Samba that didn't occur with AD and I'm not sure if
anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related
bug after the 1.12.3 release was
https://fedorahosted.org/sssd/ticket/2543
My sssd conf:
# =========================================
[sssd]
domains =
mydomain.com
config_file_version = 2
services = nss, pam
[
domain/mydomain.com]
ad_domain =
mydomain.com
ad_server =
pdc.mydomain.com
krb5_realm =
mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad
#ad_access_filter =
(&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x4000): server_hostname from uri:
pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done]
(0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is
cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com;
2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com;
1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com;
0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path:
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:
smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path:
\\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:
smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access?