sssd incorrectly permits login when no gpo found and ad_gpo_implicit_deny is set to True
Issue
- On a RHEL host running
sssd
connected to a Windows domain, it is possible for a user to login who should not be permitted login access. - The login is permitted despite
ad_gpo_implicit_deny = True
being set insssd.conf
. - If any GPO has been applied to the RHEL 8 host, regardless if it performs any
sssd
related changes, the login permissions function correctly and users who should not have access will be denied.
Environment
- Red Hat Enterprise Linux (RHEL)
- 7.9
- 8.3
- System Security Services Daemon (SSSD)
- sssd-1.16.5-10.el7_9.7.x86_64
- sssd-2.3.0-9.el8.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.