[SSSD-users] AD user is granted access when it should be denied

2019-10-11 Thread Emil Petersson 
> Regarding SSSD side options.
> Maybe we should add a stronger mode for ad_gpo_implicit_deny to
> "only allow explicitly allowed" users/groups not only
> deny access if there are no applicable GPOs. I think such
> option would be good hardening option, but it would basically
> ignore all Deny rules on the server (OTOH if someone wants to
> allow only whitelisted users/groups they would not use deny
> rules, so that is actually not a problem). Will you file
> an RFE or should I? Feel free to copy paste this discussion
> to the ticket.

I've created what I hope counts as an RFE at 
https://pagure.io/SSSD/sssd/issue/4097, with our conversation included. Thanks!
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] AD user is granted access when it should be denied

2019-09-11 Thread Emil Petersson 
Hi,

I am running sssd-1.16.4-21.el7.x86_64 (from CR repo) on a CentOS 7 client. I 
authenticate to AD 2016, and control access to servers using GPO. For some 
reason, a completely unprivileged user in AD is allowed to login, and I'd like 
to understand why.

Here's a sanitized sssd.conf:

[sssd]
domains = prd.domain.com
config_file_version = 2
services = nss, pam, sudo
full_name_format = %1$s
default_domain_suffix = prd.domain.com

[domain/prd.domain.com]
debug_level = 9
ad_domain = prd.domain.com
ad_site = XX1
ad_server = dc000.prd.domain.com, dc001.prd.domain.com
krb5_realm = PRD.DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = false
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = True
fallback_homedir = /home/%u
access_provider = ad
ldap_sudo_search_base = DC=domain,DC=com
entry_cache_sudo_timeout = 10
enumerate = true
dyndns_update = false
ad_gpo_access_control = enforcing
ldap_idmap_default_domain_sid = S-1-5-21-6607581186-1994368826-2594857426
ldap_idmap_default_domain = prd.domain.com
ad_gpo_implicit_deny = true
auto_private_groups = true
ad_gpo_ignore_unreadable = true

When I try to SSH to the client using my unprivileged user, I am getting the 
following output from the SSSD debug:

[sysdb_gpo_get_gpo_result_setting] (0x0400): key 
[SeDenyRemoteInteractiveLogonRight] value [*S-1-5-32-546]
[ad_gpo_access_check] (0x0400): RESULTANT POLICY:
[ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive
[ad_gpo_access_check] (0x0400): allowed_size = 0
[ad_gpo_access_check] (0x0400): denied_size = 1
[ad_gpo_access_check] (0x0400):  denied_sids[0] = S-1-5-32-546
... snip ...
[ad_gpo_access_check] (0x0400): CURRENT USER:
[ad_gpo_access_check] (0x0400):user_sid = 
S-1-5-21-6607581186-1994368826-2594857426-2570
[ad_gpo_access_check] (0x0400):   group_sids[0] = 
S-1-5-21-6607581186-1994368826-2594857426-513
[ad_gpo_access_check] (0x0400):   group_sids[1] = S-1-5-11
[ad_gpo_access_check] (0x0400): POLICY DECISION:
[ad_gpo_access_check] (0x0400):  access_granted = 1
[ad_gpo_access_check] (0x0400):   access_denied = 0
[ad_gpo_access_done] (0x0400): GPO-based access control successful.

I'm trying to understand why this user is being granted access. I find it 
especially confusing as there is clearly one deny sid and no allow sids 
detected. The wanted behaviour is that the user should be denied access as long 
as I've not explicitly allowed it in AD.

Thanks!
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org