On 9/11/19 10:56 AM, Emil Petersson wrote:
Even when I reconfigure AD to make sure there is no applicable GPO's found, I'm still granted access with my unprivileged user.
[ad_gpo_access_check] (0x0400): RESULTANT POLICY: [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive [ad_gpo_access_check] (0x0400): allowed_size = 0 [ad_gpo_access_check] (0x0400): denied_size = 0 ...snip... [ad_gpo_access_check] (0x0400): CURRENT USER: [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-1107582786-xxx-2594897426-2570 [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-1107582786-xxx-2594897426-513 [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11 [ad_gpo_access_check] (0x0400): POLICY DECISION: [ad_gpo_access_check] (0x0400): access_granted = 1 [ad_gpo_access_check] (0x0400): access_denied = 0 [ad_gpo_access_done] (0x0400): GPO-based access control successful.
In this case, shouldn't the new feature "ad_gpo_implicit_deny" kick in and make sure the user is denied?
Hi,
you are correct.
It should deny access to the user. Both this log and the log from your previous email look like there is some issue with SSSD. I will try to reproduce it locally, but from the logs you provided it looks like a bug.
Michal