sssd doesn't follow the link order of AD Group Policy Management
Issue
- sssd doesn't follow the link order of AD Group Policy Management
Sample reproducer:
1. Enable ad_gpo_access_control on rhelhost.
=== /etc/sssd/sssd.conf
[sssd]
domains = nat.local
config_file_version = 2
services = nss, pam
[domain/nat.local]
ad_domain = nat.local
krb5_realm = NAT.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_access_control = enforcing
ad_gpo_ignore_unreadable = True
===
2. Make 2 Group Policies on Windows Server 2012 R2
- Allow SSH1
Add aduser1 to "Allow log on through Remote Desktop Services"
- Allow SSH2
Add aduser2 to "Allow log on through Remote Desktop Services"
Refer to https://access.redhat.com/solutions/2427851 for details.
Set link order on Group Policy Management as follows:
Link Order
1 Allow SSH1
2 Allow SSH2
3. Access to rhelhost by ssh
"ssh aduser1@rhelhost" is denied with Host Access Denied.
"ssh aduser2@rhelhost" is OK
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- sssd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.