Bugzilla – Bug 7125
modern sssd with Active Directory denies web access by default
Last modified: 2018-03-20 13:07:33
You need to
before you can comment on or make changes to this bug.
Modern sssd respects the GPOs from Active Directory that control which ways
users are allowed to log in (e.g. locally, remotely). Some time recently this
check was changed from permissive to enforcing. A fully updated Ubuntu 16.04 is
enforcing, as is a Fedora 27. However RHEL 7 is still permissive even though it
uses a recent sssd.
sssd has a map between PAM service name and the different GPO categories. A
service that isn't in any map gets denied. And we use the service name
"thinlinc" for web access.
The fix is to add the following to your sssd configuration for your domain:
> ad_gpo_map_remote_interactive = +thinlinc
This puts thinlinc in the same category as ssh.
Asked upstream to be included in their default list:
We'll do a platform specific note right away and then see what the next step
A platform specific note has now been added.
The PSN looks good, verified that it solves the problem.
For reference, the platform specific note is in the general section:
For now we'll wait and see if upstream continues with their plans to allow us
to drop extra configuration in /etc/sssd/conf.d.