[SSSD-users] AD user is granted access when it should be denied
> Regarding SSSD side options. > Maybe we should add a stronger mode for ad_gpo_implicit_deny to > "only allow explicitly allowed" users/groups not only > deny access if there are no applicable GPOs. I think such > option would be good hardening option, but it would basically > ignore all Deny rules on the server (OTOH if someone wants to > allow only whitelisted users/groups they would not use deny > rules, so that is actually not a problem). Will you file > an RFE or should I? Feel free to copy paste this discussion > to the ticket. I've created what I hope counts as an RFE at https://pagure.io/SSSD/sssd/issue/4097, with our conversation included. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: AD user is granted access when it should be denied
Ok, thanks, that explains it. All I want is a way to make sure that a user, which I have not explicitly allowed access, is denied. In other words... default behaviour for all logins should always be DENY, regardless of number of GPOs found. Obviously, a GPO that does contain access control rules should override this default behavior. Right now we are forced to fall back to either "access_provider=simple" or "ad_access_filter" just to make sure that the default behavior for logins are DENY, which unfortunately defeats the whole idea of using GPO for access control. Any advice on how to achieve my desired functionality is appreciated. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: AD user is granted access when it should be denied
Hi, The docs for ad_gpo_implicit_deny reads: "Normally when no applicable GPOs are found the users are allowed access. When this option is set to True users will be allowed access only when explicitly allowed by a GPO rule. Otherwise users will be denied access. This can be used to harden security but be careful when using this option because it can deny access even to users in the built-in Administrators group if no GPO rules apply to them." In my case, there are GPOs found, it's just that none of them touches RemoteInteractiveLogonRight or DenyRemoteInteractiveLogonRight. Does ad_gpo_implicit_deny work in such a way that it's only effective when no (0) GPOs are found? That might explain the behaviour I'm seeing. If this is the case, I suggest that ad_gpo_implicit_deny should be effective also when none of the detected GPOs explicitly allows or denies remote logon. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: AD user is granted access when it should be denied
Even when I reconfigure AD to make sure there is no applicable GPO's found, I'm still granted access with my unprivileged user. [ad_gpo_access_check] (0x0400): RESULTANT POLICY: [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive [ad_gpo_access_check] (0x0400): allowed_size = 0 [ad_gpo_access_check] (0x0400): denied_size = 0 ...snip... [ad_gpo_access_check] (0x0400): CURRENT USER: [ad_gpo_access_check] (0x0400):user_sid = S-1-5-21-1107582786-xxx-2594897426-2570 [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-1107582786-xxx-2594897426-513 [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11 [ad_gpo_access_check] (0x0400): POLICY DECISION: [ad_gpo_access_check] (0x0400): access_granted = 1 [ad_gpo_access_check] (0x0400): access_denied = 0 [ad_gpo_access_done] (0x0400): GPO-based access control successful. In this case, shouldn't the new feature "ad_gpo_implicit_deny" kick in and make sure the user is denied? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] AD user is granted access when it should be denied
Hi, I am running sssd-1.16.4-21.el7.x86_64 (from CR repo) on a CentOS 7 client. I authenticate to AD 2016, and control access to servers using GPO. For some reason, a completely unprivileged user in AD is allowed to login, and I'd like to understand why. Here's a sanitized sssd.conf: [sssd] domains = prd.domain.com config_file_version = 2 services = nss, pam, sudo full_name_format = %1$s default_domain_suffix = prd.domain.com [domain/prd.domain.com] debug_level = 9 ad_domain = prd.domain.com ad_site = XX1 ad_server = dc000.prd.domain.com, dc001.prd.domain.com krb5_realm = PRD.DOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = false id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = True fallback_homedir = /home/%u access_provider = ad ldap_sudo_search_base = DC=domain,DC=com entry_cache_sudo_timeout = 10 enumerate = true dyndns_update = false ad_gpo_access_control = enforcing ldap_idmap_default_domain_sid = S-1-5-21-6607581186-1994368826-2594857426 ldap_idmap_default_domain = prd.domain.com ad_gpo_implicit_deny = true auto_private_groups = true ad_gpo_ignore_unreadable = true When I try to SSH to the client using my unprivileged user, I am getting the following output from the SSSD debug: [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [*S-1-5-32-546] [ad_gpo_access_check] (0x0400): RESULTANT POLICY: [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive [ad_gpo_access_check] (0x0400): allowed_size = 0 [ad_gpo_access_check] (0x0400): denied_size = 1 [ad_gpo_access_check] (0x0400): denied_sids[0] = S-1-5-32-546 ... snip ... [ad_gpo_access_check] (0x0400): CURRENT USER: [ad_gpo_access_check] (0x0400):user_sid = S-1-5-21-6607581186-1994368826-2594857426-2570 [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-6607581186-1994368826-2594857426-513 [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11 [ad_gpo_access_check] (0x0400): POLICY DECISION: [ad_gpo_access_check] (0x0400): access_granted = 1 [ad_gpo_access_check] (0x0400): access_denied = 0 [ad_gpo_access_done] (0x0400): GPO-based access control successful. I'm trying to understand why this user is being granted access. I find it especially confusing as there is clearly one deny sid and no allow sids detected. The wanted behaviour is that the user should be denied access as long as I've not explicitly allowed it in AD. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: AD 2016 integration GPO weirdness
On 2019-02-08 18:06, Michal Židek wrote: On 2/8/19 3:13 PM, Emil Petersson wrote: Hi, I am trying to configure Active Directory integration with SSSD. AD is running on 2016, and my clients are CentOS 7.6, running SSSD 1.16.2-13.el7. I want to control client access using AD GPO. The issue I'm seeing is that any user is allowed to log on to the client, regardless if they are allowed by a GPO or not. The clients were successfully joined to AD by running: realm join --user=username --computer-ou='OU=Linux,OU=Servers,OU=XXX,DC=XXX,DC=XXX,DC=net' xxx.xxx.net The client sssd.conf looks like this: [sssd] domains = xxx.xxx.net config_file_version = 2 services = nss, pam full_name_format = %1$s default_domain_suffix = xxx.xxx.net [domain/xxx.xxx.net] debug_level = 9 ad_domain = xxx.xxx.net krb5_realm = XXX.XXX.NET realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_gpo_access_control = enforcing dyndns_update = false When trying to log in with an unauthorized user, I get the following output from SSSD debug: [ad_gpo_perform_hbac_processing] (0x4000): allow_key: SeRemoteInteractiveLogonRight [ad_gpo_perform_hbac_processing] (0x4000): deny_key: SeDenyRemoteInteractiveLogonRight [parse_policy_setting_value] (0x0400): No value for key [SeRemoteInteractiveLogonRight] found in gpo result [ad_gpo_access_check] (0x0400): RESULTANT POLICY: [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive [ad_gpo_access_check] (0x0400): allowed_size = 0 [ad_gpo_access_check] (0x0400): denied_size = 3 [ad_gpo_access_check] (0x0400): denied_sids[0] = S-1-5-21-1107582786-1995068826-2594897426-4406 [ad_gpo_access_check] (0x0400): denied_sids[1] = S-1-5-21-1107582786-1995068826-2594897426-4281 [ad_gpo_access_check] (0x0400): denied_sids[2] = S-1-5-21-1107582786-1995068826-2594897426-4021 [ad_gpo_access_check] (0x0400): CURRENT USER: [ad_gpo_access_check] (0x0400):user_sid = S-1-5-21-1107582786-1995068826-2594897426-5609 [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-1107582786-1995068826-2594897426-5611 [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-21-1107582786-1995068826-2594897426-513 [ad_gpo_access_check] (0x0400): group_sids[2] = S-1-5-21-1107582786-1995068826-2594897426-5612 [ad_gpo_access_check] (0x0400): group_sids[3] = S-1-5-11 [ad_gpo_access_check] (0x0400): POLICY DECISION: [ad_gpo_access_check] (0x0400): access_granted = 1 [ad_gpo_access_check] (0x0400): access_denied = 0 [ad_gpo_access_done] (0x0400): GPO-based access control successful. I'm not understanding what's happening here. It's as if my test user is allowed by default. Could this be due to a PAM config? I was expecting to be denied login until I've explicitly setup a GPO to allow login :) Any help is much appreciated! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org (ok, one more time now with the sssd-users list included :) ) I think the implicit access granted is given when no policy applicable to the user is found. There is option to change this to implicit deny with: ad_gpo_implicit_deny = True This is relatively new option not sure if it is available for your version (see 'man sssd-ad' if the option is available). If you add at least one "allow" GPO rule that applies to the user (but does not list the user as allowed user, for example if there is only Administrator allowed), then the user would be denied access (the implicit allow would not apply). I see some deny rules were found, but those only say that this user is not among those with denied access. Michal Thank you Michal, this explains the behaviour I'm seeing! The reason for my issues was that my GPO use Security Filtering with Computer objects in them. This is unsupported, as stated in the man page as well as on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo#how-sssd-works-with-gpo . Do you know if there are plans for implementing support for GPO's with Security Filtering on computer object in future versions of SSSD? Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fed
[SSSD-users] AD 2016 integration GPO weirdness
Hi, I am trying to configure Active Directory integration with SSSD. AD is running on 2016, and my clients are CentOS 7.6, running SSSD 1.16.2-13.el7. I want to control client access using AD GPO. The issue I'm seeing is that any user is allowed to log on to the client, regardless if they are allowed by a GPO or not. The clients were successfully joined to AD by running: realm join --user=username --computer-ou='OU=Linux,OU=Servers,OU=XXX,DC=XXX,DC=XXX,DC=net' xxx.xxx.net The client sssd.conf looks like this: [sssd] domains = xxx.xxx.net config_file_version = 2 services = nss, pam full_name_format = %1$s default_domain_suffix = xxx.xxx.net [domain/xxx.xxx.net] debug_level = 9 ad_domain = xxx.xxx.net krb5_realm = XXX.XXX.NET realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_gpo_access_control = enforcing dyndns_update = false When trying to log in with an unauthorized user, I get the following output from SSSD debug: [ad_gpo_perform_hbac_processing] (0x4000): allow_key: SeRemoteInteractiveLogonRight [ad_gpo_perform_hbac_processing] (0x4000): deny_key: SeDenyRemoteInteractiveLogonRight [parse_policy_setting_value] (0x0400): No value for key [SeRemoteInteractiveLogonRight] found in gpo result [ad_gpo_access_check] (0x0400): RESULTANT POLICY: [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive [ad_gpo_access_check] (0x0400): allowed_size = 0 [ad_gpo_access_check] (0x0400): denied_size = 3 [ad_gpo_access_check] (0x0400): denied_sids[0] = S-1-5-21-1107582786-1995068826-2594897426-4406 [ad_gpo_access_check] (0x0400): denied_sids[1] = S-1-5-21-1107582786-1995068826-2594897426-4281 [ad_gpo_access_check] (0x0400): denied_sids[2] = S-1-5-21-1107582786-1995068826-2594897426-4021 [ad_gpo_access_check] (0x0400): CURRENT USER: [ad_gpo_access_check] (0x0400):user_sid = S-1-5-21-1107582786-1995068826-2594897426-5609 [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-1107582786-1995068826-2594897426-5611 [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-21-1107582786-1995068826-2594897426-513 [ad_gpo_access_check] (0x0400): group_sids[2] = S-1-5-21-1107582786-1995068826-2594897426-5612 [ad_gpo_access_check] (0x0400): group_sids[3] = S-1-5-11 [ad_gpo_access_check] (0x0400): POLICY DECISION: [ad_gpo_access_check] (0x0400): access_granted = 1 [ad_gpo_access_check] (0x0400): access_denied = 0 [ad_gpo_access_done] (0x0400): GPO-based access control successful. I'm not understanding what's happening here. It's as if my test user is allowed by default. Could this be due to a PAM config? I was expecting to be denied login until I've explicitly setup a GPO to allow login :) Any help is much appreciated! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org