gp: PAM Access should implicitly deny ALL w/ allow

If an allow entry is specified, the PAM Access CSE should implicitly deny ALL (everyone other than the explicit allow entries). Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
author: David Mulder <dmulder@samba.org> 2022-11-17 16:33:24 -0700
committer: Jeremy Allison <jra@samba.org> 2022-11-21 21:01:31 +0000
commit: ca5f8072a4c7be6fdebef494664a27bbd73340ff (patch)
tree: 14d4bd939a1673959ba7849f5ead4d74185b68b8 /python/samba/netcmd/gpo.py
parent: 9f6cf276e22b82601a81286fabeae5303f58339c (diff)
download: samba-ca5f8072a4c7be6fdebef494664a27bbd73340ff.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
index 2bcee59bd93..9cd08273aaa 100644
--- a/python/samba/netcmd/gpo.py
+++ b/python/samba/netcmd/gpo.py
@@ -3815,7 +3815,8 @@ class cmd_add_access(Command):
     """Adds a VGP Host Access Group Policy to the sysvol
 
 This command adds a host access setting to the sysvol for applying to winbind
-clients.
+clients. Any time an allow entry is detected by the client, an implicit deny
+ALL will be assumed.
 
 Example:
 samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com
author	David Mulder <dmulder@samba.org>	2022-11-17 16:33:24 -0700
committer	Jeremy Allison <jra@samba.org>	2022-11-21 21:01:31 +0000
commit	ca5f8072a4c7be6fdebef494664a27bbd73340ff (patch)
tree	14d4bd939a1673959ba7849f5ead4d74185b68b8 /python/samba/netcmd/gpo.py
parent	9f6cf276e22b82601a81286fabeae5303f58339c (diff)
download	samba-ca5f8072a4c7be6fdebef494664a27bbd73340ff.tar.gz