On 10/10/19 11:43 AM, Emil Petersson wrote:
Ok, thanks, that explains it.
All I want is a way to make sure that a user, which I have not explicitly
allowed access, is denied. In other words... default behaviour for all logins
should always be DENY, regardless of number of GPOs found. Obviously, a GPO
that does contain access control rules should override this default behavior.
Right now we are forced to fall back to either "access_provider=simple" or
"ad_access_filter" just to make sure that the default behavior for logins are DENY, which
unfortunately defeats the whole idea of using GPO for access control.
Any advice on how to achieve my desired functionality is appreciated.
Thanks!
Currently your only way is to actually define the GPO
on the AD server. I would probably put it to a separate GPO,
something like access_control_gpo and define these rules there:
Allow log on locally
Allow log on through remote desktop sevices
Allow log on as a service
Allow log on as a batch job
Access this computer from the network
Define these rules and put Administrators group to all of them.
Then you can add whatever user/group you want to login (you are probably
mostly interested in the Allow log on locally and Allow log on through
remote desktop services if you are using default PAM to GPO rule
mapping, but it is still better to define all these rules explicitly if
you really want a complete whitelist on the server).
Or alternatively make all GPOs on the server not applicable
to the SSSD host (but I agree that this is kind of clumsy
solution if you have many GPOs, so it is better to go
with the above and define the policies).
Regarding SSSD side options.
Maybe we should add a stronger mode for ad_gpo_implicit_deny to
"only allow explicitly allowed" users/groups not only
deny access if there are no applicable GPOs. I think such
option would be good hardening option, but it would basically
ignore all Deny rules on the server (OTOH if someone wants to
allow only whitelisted users/groups they would not use deny
rules, so that is actually not a problem). Will you file
an RFE or should I? Feel free to copy paste this discussion
to the ticket.
Michal
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
