Bug 7125

Summary: modern sssd with Active Directory denies web access by default
Product: ThinLinc Reporter: Pierre Ossman <ossman@cendio.se>
Component: Web AccessAssignee: Samuel Mannehed <samuel@cendio.se>
Status: NEW QA Contact: Bugzilla mail exporter <bugzilla-qa@cendio.se>
Severity: Normal    
Priority: P2 CC: astrand@cendio.se
Version: 1.3.1Keywords: samuel_tester, upstream
Target Milestone: LowPrio   
Hardware: PC   
OS: Unknown   
Acceptance Criteria:

Description From cendio 2018-03-08 15:44:40
Modern sssd respects the GPOs from Active Directory that control which ways
users are allowed to log in (e.g. locally, remotely). Some time recently this
check was changed from permissive to enforcing. A fully updated Ubuntu 16.04 is
enforcing, as is a Fedora 27. However RHEL 7 is still permissive even though it
uses a recent sssd.

sssd has a map between PAM service name and the different GPO categories. A
service that isn't in any map gets denied. And we use the service name
"thinlinc" for web access.

The fix is to add the following to your sssd configuration for your domain:

> ad_gpo_map_remote_interactive = +thinlinc

This puts thinlinc in the same category as ssh.
------- Comment #1 From cendio 2018-03-09 10:25:54 -------
Asked upstream to be included in their default list:

------- Comment #2 From cendio 2018-03-13 13:42:02 -------
We'll do a platform specific note right away and then see what the next step
------- Comment #3 From cendio 2018-03-19 14:54:22 -------
A platform specific note has now been added.
------- Comment #4 From cendio 2018-03-20 10:50:15 -------
The PSN looks good, verified that it solves the problem.
------- Comment #5 From cendio 2018-03-20 13:07:33 -------
For reference, the platform specific note is in the general section:


For now we'll wait and see if upstream continues with their plans to allow us
to drop extra configuration in /etc/sssd/conf.d.