On Wed, Aug 10, 2016 at 12:02:18PM +0300, Alexander Bokovoy wrote:
> On Tue, 09 Aug 2016, Michal Židek wrote:
> > Summary for Alexander (in CC):
> > - Regarding processing GPOs on the client.
> > - If groupPolicyContainer in AD has attribute
> >  gPCMachineExtensionNames that contains only whitespaces, SSSD
> >  fails to process GPOs and denies access to users
> > - if the gPCMachineExtensionNames is missing, it is Ok and
> >  SSSD skips such GPO (because we are only interested in
> >  Machine extensions)
> > - We have customer that has thousands of GPOs stored in AD and
> >  some of them have just ' ' (space) in the gPCMachineExtensionNames
> >  attribute. The AD administrators say that they created the GPOs
> >  using the GUI provided by AD.
> > - Treating the gPCMachineExtensionNames with just whitespaces the
> >  same way as if the gpcMachineExtensionNames was missing completely
> >  fixed the issue for the customer.
> > 
> > - Now, it would be good to support the fix with some links to
> >  documentation.
> > 
> > - I believe we should go with that fix, but could not find any
> >  documentation that would explicitly say something about just
> >  whitespaces  in the gpcMachineExtensionNames
> > - Gunter could also not find documentation that would say something
> >  about just whitespaces in that attribute, but believes that we should
> >  use the fix and skip such attributes.
> > 
> > Alexander, can you try to find something in the MSDN documentation,
> > that would support our fix? If not, then just what is your opinion?
> You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
> processing gPCMachineExtensionNames, "Group Policy processing terminates
> at the first <CSE GUIDn> out of sequence."
> Since ' ' (space only) does not fall into defined syntax for
> gPCMachineExtensionNames, this Group Policy processing is stopped and
> its CSE GUIDs are set to 'empty list'.
> 
> Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
> ------------------------------------------------------------------------
> The Group Policy client MUST evaluate the subset of the abstract element
> Filtered GPO list separately for each Group Policy extension by
> including in the subset only those GPOs whose gPCUserExtensionNames (for
> user policy mode) or gPCMachineExtensionNames (for computer policy mode)
> attributes contain CSE GUID that correspond to the Group Policy
> extension. If the CSE GUID corresponding to the Group Policy extension
> is present in Extension List, it is invoked using the
> Implementation Identifier field. Applicability is determined as
> specified in section 3.2.1.5. The Group Policy Registry Extension MUST
> always execute first. All other applicable Group Policy extensions in
> the Extension List MUST be loaded and executed in Extension List order.
> A failure in any Group Policy extension sequence MUST NOT affect the
> execution of other Group Policy extensions.
> -------------------------------------------------------------------------
> 
> I think we can practically treat wrong content of
> gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
> GPO to pass through the Filtered GPO list. Thus, the GPO would be
> ignored.

Michal, if you add Alexander's response into the commit message, I will
push the patch.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

Reply via email to