On Wed, Aug 10, 2016 at 12:02:18PM +0300, Alexander Bokovoy wrote: > On Tue, 09 Aug 2016, Michal Židek wrote: > > Summary for Alexander (in CC): > > - Regarding processing GPOs on the client. > > - If groupPolicyContainer in AD has attribute > > gPCMachineExtensionNames that contains only whitespaces, SSSD > > fails to process GPOs and denies access to users > > - if the gPCMachineExtensionNames is missing, it is Ok and > > SSSD skips such GPO (because we are only interested in > > Machine extensions) > > - We have customer that has thousands of GPOs stored in AD and > > some of them have just ' ' (space) in the gPCMachineExtensionNames > > attribute. The AD administrators say that they created the GPOs > > using the GUI provided by AD. > > - Treating the gPCMachineExtensionNames with just whitespaces the > > same way as if the gpcMachineExtensionNames was missing completely > > fixed the issue for the customer. > > > > - Now, it would be good to support the fix with some links to > > documentation. > > > > - I believe we should go with that fix, but could not find any > > documentation that would explicitly say something about just > > whitespaces in the gpcMachineExtensionNames > > - Gunter could also not find documentation that would say something > > about just whitespaces in that attribute, but believes that we should > > use the fix and skip such attributes. > > > > Alexander, can you try to find something in the MSDN documentation, > > that would support our fix? If not, then just what is your opinion? > You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when > processing gPCMachineExtensionNames, "Group Policy processing terminates > at the first <CSE GUIDn> out of sequence." > Since ' ' (space only) does not fall into defined syntax for > gPCMachineExtensionNames, this Group Policy processing is stopped and > its CSE GUIDs are set to 'empty list'. > > Because of the 3.2.5.1.10 'Extension Protocol Sequences' language > ------------------------------------------------------------------------ > The Group Policy client MUST evaluate the subset of the abstract element > Filtered GPO list separately for each Group Policy extension by > including in the subset only those GPOs whose gPCUserExtensionNames (for > user policy mode) or gPCMachineExtensionNames (for computer policy mode) > attributes contain CSE GUID that correspond to the Group Policy > extension. If the CSE GUID corresponding to the Group Policy extension > is present in Extension List, it is invoked using the > Implementation Identifier field. Applicability is determined as > specified in section 3.2.1.5. The Group Policy Registry Extension MUST > always execute first. All other applicable Group Policy extensions in > the Extension List MUST be loaded and executed in Extension List order. > A failure in any Group Policy extension sequence MUST NOT affect the > execution of other Group Policy extensions. > ------------------------------------------------------------------------- > > I think we can practically treat wrong content of > gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the > GPO to pass through the Filtered GPO list. Thus, the GPO would be > ignored.
Michal, if you add Alexander's response into the commit message, I will push the patch. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
