From c7aae4f0b4797f6d8b313a29ceacfed6f7710118 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 17 2020 00:09:12 +0000 Subject: import sssd-2.3.0-9.el8 --- diff --git a/SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch b/SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch new file mode 100644 index 0000000..d00fb18 --- /dev/null +++ b/SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch @@ -0,0 +1,181 @@ +From 69e1f5fe79806a530e90c8af09bedd3b9e6b4dac Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 10 Jul 2020 15:30:29 +0200 +Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently if setting ad_gpo_implicit_deny to 'True' is rejected access +if no GPOs applied to the host since in this case there are obvious not +allow rules available. + +But according to the man page we have to be more strict "When this +option is set to True users will be allowed access only when explicitly +allowed by a GPO rule". So if GPOs apply and no allow rules are present +we have to reject access as well. + +Resolves: https://github.com/SSSD/sssd/issues/5061 + +Reviewed-by: Pavel Březina +--- + src/man/sssd-ad.5.xml | 59 +++++++++++++++++++++++++++++++++++++++ + src/providers/ad/ad_gpo.c | 13 +++++++-- + 2 files changed, 69 insertions(+), 3 deletions(-) + +diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml +index 5c2f46546..fbd4985d7 100644 +--- a/src/man/sssd-ad.5.xml ++++ b/src/man/sssd-ad.5.xml +@@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example, + built-in Administrators group if no GPO rules + apply to them. + ++ + + Default: False + ++ ++ ++ The following 2 tables should illustrate when a user ++ is allowed or rejected based on the allow and deny ++ login rights defined on the server-side and the ++ setting of ad_gpo_implicit_deny. ++ ++ ++ ++ ++ ++ ++ ++ ++ ad_gpo_implicit_deny = False (default) ++ allow-rulesdeny-rules ++ results ++ ++ ++ missingmissing ++ all users are allowed ++ ++ missingpresent ++ only users not in deny-rules are ++ allowed ++ presentmissing ++ only users in allow-rules are ++ allowed ++ presentpresent ++ only users in allow-rules and not in ++ deny-rules are allowed ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ad_gpo_implicit_deny = True ++ allow-rulesdeny-rules ++ results ++ ++ ++ missingmissing ++ no users are allowed ++ ++ missingpresent ++ no users are allowed ++ ++ presentmissing ++ only users in allow-rules are ++ allowed ++ presentpresent ++ only users in allow-rules and not in ++ deny-rules are allowed ++ + + + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 2c6aa7fa6..0cf5da2a1 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, + enum gpo_access_control_mode gpo_mode, + enum gpo_map_type gpo_map_type, + const char *user, ++ bool gpo_implicit_deny, + struct sss_domain_info *domain, + char **allowed_sids, + int allowed_size, +@@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, + group_sids[j]); + } + +- if (allowed_size == 0) { ++ if (allowed_size == 0 && !gpo_implicit_deny) { + access_granted = true; + } else { + access_granted = check_rights(allowed_sids, allowed_size, user_sid, +@@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, + enum gpo_access_control_mode gpo_mode, + enum gpo_map_type gpo_map_type, + const char *user, ++ bool gpo_implicit_deny, + struct sss_domain_info *user_domain, + struct sss_domain_info *host_domain) + { +@@ -1732,8 +1734,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, + + /* perform access check with the final resultant allow_sids and deny_sids */ + ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user, +- user_domain, allow_sids, allow_size, deny_sids, +- deny_size); ++ gpo_implicit_deny, user_domain, ++ allow_sids, allow_size, deny_sids, deny_size); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -1918,6 +1920,7 @@ immediately: + static errno_t + process_offline_gpos(TALLOC_CTX *mem_ctx, + const char *user, ++ bool gpo_implicit_deny, + enum gpo_access_control_mode gpo_mode, + struct sss_domain_info *user_domain, + struct sss_domain_info *host_domain, +@@ -1930,6 +1933,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx, + gpo_mode, + gpo_map_type, + user, ++ gpo_implicit_deny, + user_domain, + host_domain); + if (ret != EOK) { +@@ -1976,6 +1980,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) + DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); + ret = process_offline_gpos(state, + state->user, ++ state->gpo_implicit_deny, + state->gpo_mode, + state->user_domain, + state->host_domain, +@@ -2102,6 +2107,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) + DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); + ret = process_offline_gpos(state, + state->user, ++ state->gpo_implicit_deny, + state->gpo_mode, + state->user_domain, + state->host_domain, +@@ -2766,6 +2772,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) + state->gpo_mode, + state->gpo_map_type, + state->user, ++ state->gpo_implicit_deny, + state->user_domain, + state->host_domain); + if (ret != EOK) { +-- +2.21.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index afe21c4..c74441a 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,7 +26,7 @@ Name: sssd Version: 2.3.0 -Release: 8%{?dist} +Release: 9%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -77,6 +77,7 @@ Patch0040: 0040-AD-Enforcing-GPO-rule-restriction-on-user.patch Patch0041: 0041-man-clarify-AD-certificate-rule.patch Patch0042: 0042-config-allow-prompting-options-in-configuration.patch Patch0043: 0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch +Patch0044: 0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch ### Downstream Patches ### @@ -1249,6 +1250,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon Sep 14 2020 Alexey Tikhonov - 2.3.0-9 +- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied + * Fri Aug 21 2020 Alexey Tikhonov - 2.3.0-8 - Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema