On 08/31/2016 01:24 PM, Simo Sorce wrote: > On Wed, 2016-08-31 at 17:41 +0200, Michal Židek wrote: >> Hi, >> >> here is patch for ticket #3161. >> >> See more in the ticket description. >> >> I was thinking why we originally replaced >> the lists and I think it comes from confusion >> on how we handle the same keys in single >> GPO ini file, however that is handled by >> libini not by SSSD. > > Sorry to come to this late, but do you have a documentation reference > that says that merging is the correct behavior ?
Merging is not (nor has it ever been) the correct behavior. The way that AD GPOs work is with a strict hierarchy. I'd have to double-check the code to remember which order it is, but I *think* it's: Domain is overridden by site which is overridden by individual machine. Basically, if I have a GPO on domain EXAMPLE.COM that include SeInteractiveLogonRight=foo and another GPO on machine client.example.com that has SeInteractiveLogonRight="bar, baz", then "bar, baz" completely replaces "foo" for that machine. It does not merge in any way. This is the reason that we switched to storing this information in the LDB cache; we were able to do the processing the same way Windows does with the registry, by having each iteration through the hierarchy replace the previous one. Again, no merging should happen here. > I forgot a lot about how multiple GPOs are supposed to be merged but I > seem to recall there may be a policy that actually controls how merging > is done. > > CCing Günther who has worked around GPO processing a few years ago. > > Simo. >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
