On Wed, Aug 10, 2016 at 11:53:43AM +0200, Michal Židek wrote: > On 08/10/2016 11:35 AM, Jakub Hrozek wrote: > > On Wed, Aug 10, 2016 at 12:02:18PM +0300, Alexander Bokovoy wrote: > > > On Tue, 09 Aug 2016, Michal Židek wrote: > > > > Summary for Alexander (in CC): > > > > - Regarding processing GPOs on the client. > > > > - If groupPolicyContainer in AD has attribute > > > > gPCMachineExtensionNames that contains only whitespaces, SSSD > > > > fails to process GPOs and denies access to users > > > > - if the gPCMachineExtensionNames is missing, it is Ok and > > > > SSSD skips such GPO (because we are only interested in > > > > Machine extensions) > > > > - We have customer that has thousands of GPOs stored in AD and > > > > some of them have just ' ' (space) in the gPCMachineExtensionNames > > > > attribute. The AD administrators say that they created the GPOs > > > > using the GUI provided by AD. > > > > - Treating the gPCMachineExtensionNames with just whitespaces the > > > > same way as if the gpcMachineExtensionNames was missing completely > > > > fixed the issue for the customer. > > > > > > > > - Now, it would be good to support the fix with some links to > > > > documentation. > > > > > > > > - I believe we should go with that fix, but could not find any > > > > documentation that would explicitly say something about just > > > > whitespaces in the gpcMachineExtensionNames > > > > - Gunter could also not find documentation that would say something > > > > about just whitespaces in that attribute, but believes that we should > > > > use the fix and skip such attributes. > > > > > > > > Alexander, can you try to find something in the MSDN documentation, > > > > that would support our fix? If not, then just what is your opinion? > > > You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when > > > processing gPCMachineExtensionNames, "Group Policy processing terminates > > > at the first <CSE GUIDn> out of sequence." > > > Since ' ' (space only) does not fall into defined syntax for > > > gPCMachineExtensionNames, this Group Policy processing is stopped and > > > its CSE GUIDs are set to 'empty list'. > > > > > > Because of the 3.2.5.1.10 'Extension Protocol Sequences' language > > > ------------------------------------------------------------------------ > > > The Group Policy client MUST evaluate the subset of the abstract element > > > Filtered GPO list separately for each Group Policy extension by > > > including in the subset only those GPOs whose gPCUserExtensionNames (for > > > user policy mode) or gPCMachineExtensionNames (for computer policy mode) > > > attributes contain CSE GUID that correspond to the Group Policy > > > extension. If the CSE GUID corresponding to the Group Policy extension > > > is present in Extension List, it is invoked using the > > > Implementation Identifier field. Applicability is determined as > > > specified in section 3.2.1.5. The Group Policy Registry Extension MUST > > > always execute first. All other applicable Group Policy extensions in > > > the Extension List MUST be loaded and executed in Extension List order. > > > A failure in any Group Policy extension sequence MUST NOT affect the > > > execution of other Group Policy extensions. > > > ------------------------------------------------------------------------- > > > > > > I think we can practically treat wrong content of > > > gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the > > > GPO to pass through the Filtered GPO list. Thus, the GPO would be > > > ignored. > > > > Michal, if you add Alexander's response into the commit message, I will > > push the patch. > > I copied the entire comment into the commit message. > > New patch is attached. > > Michal >
ACK CI: http://sssd-ci.duckdns.org/logs/job/51/34/summary.html _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
