www.cendio.com
Bug 7125 - modern sssd with Active Directory denies web access by default
: modern sssd with Active Directory denies web access by default
Status: NEW
: ThinLinc
Web Access
: 1.3.1
: PC Unknown
: P2 Normal
: LowPrio
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-03-08 15:44 by
Modified: 2018-03-20 13:07 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2018-03-08 15:44:40
Modern sssd respects the GPOs from Active Directory that control which ways
users are allowed to log in (e.g. locally, remotely). Some time recently this
check was changed from permissive to enforcing. A fully updated Ubuntu 16.04 is
enforcing, as is a Fedora 27. However RHEL 7 is still permissive even though it
uses a recent sssd.

sssd has a map between PAM service name and the different GPO categories. A
service that isn't in any map gets denied. And we use the service name
"thinlinc" for web access.

The fix is to add the following to your sssd configuration for your domain:

> ad_gpo_map_remote_interactive = +thinlinc

This puts thinlinc in the same category as ssh.
------- Comment #1 From cendio 2018-03-09 10:25:54 -------
Asked upstream to be included in their default list:

https://github.com/SSSD/sssd/pull/530
------- Comment #2 From cendio 2018-03-13 13:42:02 -------
We'll do a platform specific note right away and then see what the next step
is.
------- Comment #3 From cendio 2018-03-19 14:54:22 -------
A platform specific note has now been added.
------- Comment #4 From cendio 2018-03-20 10:50:15 -------
The PSN looks good, verified that it solves the problem.
------- Comment #5 From cendio 2018-03-20 13:07:33 -------
For reference, the platform specific note is in the general section:

https://www.cendio.com/thinlinc/docs/platforms/general

For now we'll wait and see if upstream continues with their plans to allow us
to drop extra configuration in /etc/sssd/conf.d.