Bug 7125 - modern sssd with Active Directory denies web access by default
Summary: modern sssd with Active Directory denies web access by default
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Samuel Mannehed
Keywords: samuel_tester, upstream
Depends on:
Reported: 2018-03-08 15:44 CET by Pierre Ossman
Modified: 2023-11-14 14:04 CET (History)
2 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2018-03-08 15:44:40 CET
Modern sssd respects the GPOs from Active Directory that control which ways users are allowed to log in (e.g. locally, remotely). Some time recently this check was changed from permissive to enforcing. A fully updated Ubuntu 16.04 is enforcing, as is a Fedora 27. However RHEL 7 is still permissive even though it uses a recent sssd.

sssd has a map between PAM service name and the different GPO categories. A service that isn't in any map gets denied. And we use the service name "thinlinc" for web access.

The fix is to add the following to your sssd configuration for your domain:

> ad_gpo_map_remote_interactive = +thinlinc

This puts thinlinc in the same category as ssh.
Comment 1 Pierre Ossman cendio 2018-03-09 10:25:54 CET
Asked upstream to be included in their default list:

Comment 2 Pierre Ossman cendio 2018-03-13 13:42:02 CET
We'll do a platform specific note right away and then see what the next step is.
Comment 3 Pierre Ossman cendio 2018-03-19 14:54:22 CET
A platform specific note has now been added.
Comment 4 Samuel Mannehed cendio 2018-03-20 10:50:15 CET
The PSN looks good, verified that it solves the problem.
Comment 5 Pierre Ossman cendio 2018-03-20 13:07:33 CET
For reference, the platform specific note is in the general section:


For now we'll wait and see if upstream continues with their plans to allow us to drop extra configuration in /etc/sssd/conf.d.

Note You need to log in before you can comment on or make changes to this bug.