Pluggable handling of GPO CSEs

[arrowd]

At the moment SSSD only processes the "Security" extension of AD GPO. However, it already has the code that fetches GPOs from LDAP (ad_gpo.c) and policy files from SYSVOL (gpo_child).

It seems to be a good idea if SSSD would provide an ability to handle arbitrary CSEs by downloading their data somewhere on-disk (maybe even /gpo_cache/) and then calling some user-defined program. Maybe the other way around would also be useful - a some way to ask SSSD to download/refresh the given GPO.

[sumit-bose]

Hi,

can you describe in more details what use-case you have in mind?

You are right, the SSSD code should be flexible enough to load GPOs for any CSE. But I currently have no good idea how to make available to other services. Currently the directory permissions of /gpo_cache/ only allow the user running SSSD to access the. And since the GPO files might contain sensitive information I think the permission shouldn't be more open. On the other hand, as you might have seen, we try to make SSSD run as a non-root user with privileges/capabilities stripped down as much as possible. So most probably an SSSD process won't have the ability to write into directories own by other users or services. So it would be good to know more details about what you have in mind.

bye,
Sumit

[arrowd]

I started with making the OSto adhere to the maximum password age policy. Given the GptTmpl.inf file I can easily pull out the value for the MaximumPasswordAge key and use it to set the password expiration date in /etc/passwd. My code runs as privileged daemon, so permissions aren't really a problem. Right now my daemon simply looks for /var/lib/sss/gpo_cache/${domainName}/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf. But I have no way to ask SSSD to download/refresh this cache.

Under the hood SSSD only reacts to the 827D319E-6EAC-11D2-A4EA-00C04F79F83A GUID corresponding to the Security CSE. But there are a lot of other useful policies that can be pulled like 74EE6C03-5363-4554-B161-627540339CAB, which allows changing arbitrary INI files in the system.

Another use-case for a different CSE I have in mind is following. A lot of DBus services use Polkit to authorize callers of their APIs. Default policies can be overriden using an additional config, which may come from a GPO in the same way as GptTmpl.inf file.

So, in the nutshell, what I need from SSSD is a way to download specified CSE policy from LDAP/SMB optionally performing additional processing like it is done for Security (SOM filtering, GPO prioritizing, etc.)

[arrowd]

I moved on to the "group policy restricted groups" thingy, but it turned out that it belongs to the same CSE and settings end up into the same GptTmpl.inf file. I will report back when I get to a different CSE.