Issue #3269: SSSD does not skip GPO if no gpcFunctionalityVersion present - sssd

SSSD / sssd

#3269 SSSD does not skip GPO if no gpcFunctionalityVersion present

Closed: Fixed None Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1404697

Description of problem:

If the  groupPolicyContainer created by some tool (for example the
https://www.quest.com/products/password-manager/) does not conatin
gpcFunctionalityVersion attribute and sssd stumbles upon such container, it
stops the processing and just quit with the default decision (wich is usually
deny).

To avoid this problem, the SSSD should skip any GPO that does not contain the
gpcFunctionalityVersion because this is the behavior specified by the MS-GPOL,
see 3.2.5.1.6:

-----
3.2.5.1.6 GPO Filter Evaluation
In this step, the client MUST process the GPO as follows:
 1. Check for the functionality version of the GPO. If the
gPCFunctionalityVersion
    field of the Group Policy Object Search message (as defined in [MS-ADA1]
    section 2.278) is not set to 2, the GPO MUST NOT be included in the rest
    of the protocol sequence. The GPO MUST be considered denied.
-----

given that the GPO itself does not have access control rules, you filter
it out.


Version-Release number of selected component (if applicable):

sssd-1.14.0-43.el7.x86_64


Steps to Reproduce:
1. create GPO with https://www.quest.com/products/password-manager/
2. try to log in with such user

Actual results:

login fails

Expected results:


should log in

jhrozek commented 7 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1404725 (Red Hat Enterprise Linux 7)

rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1404697 1404697] => [https://bugzilla.redhat.com/show_bug.cgi?id=1404697 1404697], [https://bugzilla.redhat.com/show_bug.cgi?id=1404725 1404725]

mzidek commented 7 years ago

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => mzidek
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

jhrozek commented 7 years ago

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.5

mzidek commented 7 years ago

Fields changed

patch: 0 => 1

lslebodn commented 7 years ago

master:

lslebodn commented 7 years ago

sssd-1-14:

sssd-1-13:

resolution: => fixed
status: new => closed
version: => 1.13.4

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.13.5

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4302

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

mzidek

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.13.5

type

defect

component

SSSD

version

1.13.4

selected

None

testsupdated

patch

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1404697, https://bugzilla.redhat.com/show_bug.cgi?id=1404725

design_review

review

changelog

None

keywords

None

coverity

None

mark

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3269 SSSD does not skip GPO if no gpcFunctionalityVersion present Closed: Fixed None Opened 7 years ago by jhrozek.

Metadata

#3269 SSSD does not skip GPO if no gpcFunctionalityVersion present

Closed: Fixed None Opened 7 years ago by jhrozek.