8:42 p.m.
Hello, I noticed some of our users having linux authentication issues
recently. Upon further digging it happened when a GPO was applied to the
same OU these linux servers belonged to. The debug logs said there was an
error due to a missing equal sign. I tracked down the policy and looked at
the ini file and instantly noticed it differed from the normal format.
*Many of our GPOs are in the format of:*
[section]
key=value
*But this one was like:*
saltminion",2,"D:AR(A;;CCLCSWLOCRRC;;;AU(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)(A;;CCLCSWL
The result was that access was denied to the user logging into the server.
*Questions:*
1.) Should SSSD be able to parse GPOs using the template of Microsofts SDDL
(Security Descriptor Definition Language)
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85...
?
2.) What options are available to restore access besides removing the GPO
from the OU, or setting ad_gpo_access_control to disabled or permissive?
Thanks!
--Dan
--
*Daniel Bryan*
DevOps Engineer | Stratus Solutions
dbryan(a)stratussolutions.com
www.stratussolutions.com
4:05 a.m.
On (14/10/17 01:42), Daniel Bryan wrote:
Hello, I noticed some of our users having linux authentication issues
recently. Upon further digging it happened when a GPO was applied to the
same OU these linux servers belonged to. The debug logs said there was an
error due to a missing equal sign. I tracked down the policy and looked at
the ini file and instantly noticed it differed from the normal format.
*Many of our GPOs are in the format of:*
[section]
key=value
*But this one was like:*
saltminion",2,"D:AR(A;;CCLCSWLOCRRC;;;AU(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)(A;;CCLCSWL
It is already fixed in 1.14.0+
https://pagure.io/SSSD/sssd/issue/2751
and patch is also in upstream 1.13 branch
https://pagure.io/SSSD/sssd/c/15924374f6a4f190027f53e139f4582c4715ba7b
But it requires also patched version of ding-libs package.
LS
5:23 a.m.
New subject: SSSD reports errors with GPO formatted using SDDL
On 10/14/2017 11:05 AM, Lukas Slebodnik wrote:
On (14/10/17 01:42), Daniel Bryan wrote:
> Hello, I noticed some of our users having linux authentication issues
> recently. Upon further digging it happened when a GPO was applied to the
> same OU these linux servers belonged to. The debug logs said there was an
> error due to a missing equal sign. I tracked down the policy and looked at
> the ini file and instantly noticed it differed from the normal format.
>
> *Many of our GPOs are in the format of:*
> [section]
> key=value
>
> *But this one was like:*
>
saltminion",2,"D:AR(A;;CCLCSWLOCRRC;;;AU(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)(A;;CCLCSWL
>
It is already fixed in 1.14.0+
https://pagure.io/SSSD/sssd/issue/2751
and patch is also in upstream 1.13 branch
https://pagure.io/SSSD/sssd/c/15924374f6a4f190027f53e139f4582c4715ba7b
But it requires also patched version of ding-libs package.
LS
Just a note.
In the unlikely scenario where your distribution does
not provide newer SSSD and you decide to compile the
new SSSD version from source, make sure that the new
ding-libs is available during compilation, because it is
a compile time dependency.
Michal
2378
days inactive
2380
days old
sssd-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Daniel Bryan -
Lukas Slebodnik -
Michal Židek