When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value.
From 3ef7523f4e0e8bd6a5e182bd64790b6ab9f5c310 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Mon, 20 Apr 2015 10:51:04 -0400
Subject: [PATCH] AD GPO: Change default to "enforcing"
When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
---
configure.ac | 1 +
src/conf_macros.m4 | 22 ++++++++++++++++++++++
src/man/Makefile.am | 7 ++++++-
src/man/sssd-ad.5.xml | 5 ++++-
src/providers/ad/ad_opts.h | 3 ++-
5 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index e30405f3a17ffd2c9899b6eb17af85ec9bc15234..b349d0c9036e1ece46df2848f841e236a6bde92c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -121,10 +121,11 @@ WITH_PYTHON2_BINDINGS
WITH_PYTHON3_BINDINGS
WITH_CIFS_PLUGIN_PATH
WITH_SELINUX
WITH_NSCD
WITH_SEMANAGE
+WITH_AD_GPO_DEFAULT
WITH_GPO_CACHE_PATH
WITH_NOLOGIN_SHELL
WITH_APP_LIBS
WITH_SUDO
WITH_SUDO_LIB_PATH
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 9ed0a4c44c209e88fc896d0cd3040cb572b358c9..571d636718997511a5e63811130762440ba41dfc 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -784,5 +784,27 @@ AC_DEFUN([WITH_SSSD_USER],
AC_SUBST(SSSD_USER)
AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"])
AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x])
])
+
+ AC_DEFUN([WITH_AD_GPO_DEFAULT],
+ [ AC_ARG_WITH([ad-gpo-default],
+ [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],
+ [Default enforcing level for AD GPO access-control (enforcing)]
+ )
+ ]
+ )
+ GPO_DEFAULT=enforcing
+
+ if test x"$with_ad_gpo_default" != x; then
+ if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then
+ AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive")
+ else
+ GPO_DEFAULT=$with_ad_gpo_default
+ fi
+ fi
+
+ AC_SUBST(GPO_DEFAULT)
+ AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"])
+ AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing])
+ ])
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 6a1cf7dcea7bb033c9653452075ef92b7d52f7c1..1ef1da48cce74f7d1ad77e3751ee6ac3450f0259 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -22,11 +22,16 @@ if BUILD_PAC_RESPONDER
PAC_RESPONDER_CONDS = ;with_pac_responder
endif
if BUILD_IFP
IFP_CONDS = ;with_ifp
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)
+if GPO_DEFAULT_ENFORCING
+GPO_CONDS = ;gpo_default_enforcing
+else
+GPO_CONDS = ;gpo_default_permissive
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)
#Special Rules:
export SGML_CATALOG_FILES
DOCBOOK_XSLT = @DOCBOOK_XSLT@
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 55c7a404527bbd279deadc08b17549c517773719..938a443e027b9bf83c75c240a7d6b2a0876b92c8 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -322,13 +322,16 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
value were set to enforcing.
</para>
</listitem>
</itemizedlist>
</para>
- <para>
+ <para condition="gpo_default_permissive">
Default: permissive
</para>
+ <para condition="gpo_default_enforcing">
+ Default: enforcing
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<term>ad_gpo_cache_timeout (integer)</term>
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 0b7255a828e95785d31437968a37bc20fbf62aef..84881861af4551e88adeac7aaba1b0d18d43bcb5 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -25,10 +25,11 @@
#include "src/providers/data_provider.h"
#include "db/sysdb_services.h"
#include "db/sysdb_autofs.h"
#include "providers/ldap/ldap_common.h"
+#include "config.h"
struct dp_option ad_basic_opts[] = {
{ "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -36,11 +37,11 @@ struct dp_option ad_basic_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
- { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING },
+ { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_network", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_batch", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--
2.3.5
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
