When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value.
From 3ef7523f4e0e8bd6a5e182bd64790b6ab9f5c310 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <sgall...@redhat.com> Date: Mon, 20 Apr 2015 10:51:04 -0400 Subject: [PATCH] AD GPO: Change default to "enforcing" When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments. However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value. --- configure.ac | 1 + src/conf_macros.m4 | 22 ++++++++++++++++++++++ src/man/Makefile.am | 7 ++++++- src/man/sssd-ad.5.xml | 5 ++++- src/providers/ad/ad_opts.h | 3 ++- 5 files changed, 35 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e30405f3a17ffd2c9899b6eb17af85ec9bc15234..b349d0c9036e1ece46df2848f841e236a6bde92c 100644 --- a/configure.ac +++ b/configure.ac @@ -121,10 +121,11 @@ WITH_PYTHON2_BINDINGS WITH_PYTHON3_BINDINGS WITH_CIFS_PLUGIN_PATH WITH_SELINUX WITH_NSCD WITH_SEMANAGE +WITH_AD_GPO_DEFAULT WITH_GPO_CACHE_PATH WITH_NOLOGIN_SHELL WITH_APP_LIBS WITH_SUDO WITH_SUDO_LIB_PATH diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 9ed0a4c44c209e88fc896d0cd3040cb572b358c9..571d636718997511a5e63811130762440ba41dfc 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -784,5 +784,27 @@ AC_DEFUN([WITH_SSSD_USER], AC_SUBST(SSSD_USER) AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"]) AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x]) ]) + + AC_DEFUN([WITH_AD_GPO_DEFAULT], + [ AC_ARG_WITH([ad-gpo-default], + [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]], + [Default enforcing level for AD GPO access-control (enforcing)] + ) + ] + ) + GPO_DEFAULT=enforcing + + if test x"$with_ad_gpo_default" != x; then + if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then + AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive") + else + GPO_DEFAULT=$with_ad_gpo_default + fi + fi + + AC_SUBST(GPO_DEFAULT) + AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"]) + AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing]) + ]) diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 6a1cf7dcea7bb033c9653452075ef92b7d52f7c1..1ef1da48cce74f7d1ad77e3751ee6ac3450f0259 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -22,11 +22,16 @@ if BUILD_PAC_RESPONDER PAC_RESPONDER_CONDS = ;with_pac_responder endif if BUILD_IFP IFP_CONDS = ;with_ifp endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS) +if GPO_DEFAULT_ENFORCING +GPO_CONDS = ;gpo_default_enforcing +else +GPO_CONDS = ;gpo_default_permissive +endif +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS) #Special Rules: export SGML_CATALOG_FILES DOCBOOK_XSLT = @DOCBOOK_XSLT@ diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 55c7a404527bbd279deadc08b17549c517773719..938a443e027b9bf83c75c240a7d6b2a0876b92c8 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -322,13 +322,16 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) value were set to enforcing. </para> </listitem> </itemizedlist> </para> - <para> + <para condition="gpo_default_permissive"> Default: permissive </para> + <para condition="gpo_default_enforcing"> + Default: enforcing + </para> </listitem> </varlistentry> <varlistentry> <term>ad_gpo_cache_timeout (integer)</term> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 0b7255a828e95785d31437968a37bc20fbf62aef..84881861af4551e88adeac7aaba1b0d18d43bcb5 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -25,10 +25,11 @@ #include "src/providers/data_provider.h" #include "db/sysdb_services.h" #include "db/sysdb_autofs.h" #include "providers/ldap/ldap_common.h" +#include "config.h" struct dp_option ad_basic_opts[] = { { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -36,11 +37,11 @@ struct dp_option ad_basic_opts[] = { { "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING }, + { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING }, { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_gpo_map_network", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_gpo_map_batch", DP_OPT_STRING, NULL_STRING, NULL_STRING }, -- 2.3.5
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel