Learn more about these different git repos.
Other Git URLs
As discussed on the sssd-users list HERE, there is a need for a hardened mode of the ad_gpo_implicit_deny directive, to always only allow explicitly allowed users.
Please see the conversation from the sssd-users list below:
All I want is a way to make sure that a user, which I have not explicitly allowed access, is denied. In other words... default behaviour for all logins should always be DENY, regardless of number of GPOs found. Obviously, a GPO that does contain access control rules should override this default behavior. Right now we are forced to fall back to either "access_provider=simple" or "ad_access_filter" just to make sure that the default behavior for logins are DENY, which unfortunately defeats the whole idea of using GPO for access control. Any advice on how to achieve my desired functionality is appreciated.
All I want is a way to make sure that a user, which I have not explicitly allowed access, is denied. In other words... default behaviour for all logins should always be DENY, regardless of number of GPOs found. Obviously, a GPO that does contain access control rules should override this default behavior.
Right now we are forced to fall back to either "access_provider=simple" or "ad_access_filter" just to make sure that the default behavior for logins are DENY, which unfortunately defeats the whole idea of using GPO for access control.
Any advice on how to achieve my desired functionality is appreciated.
Reply from Michal:
Currently your only way is to actually define the GPO on the AD server. I would probably put it to a separate GPO, something like access_control_gpo and define these rules there: Allow log on locally Allow log on through remote desktop sevices Allow log on as a service Allow log on as a batch job Access this computer from the network Define these rules and put Administrators group to all of them. Then you can add whatever user/group you want to login (you are probably mostly interested in the Allow log on locally and Allow log on through remote desktop services if you are using default PAM to GPO rule mapping, but it is still better to define all these rules explicitly if you really want a complete whitelist on the server). Or alternatively make all GPOs on the server not applicable to the SSSD host (but I agree that this is kind of clumsy solution if you have many GPOs, so it is better to go with the above and define the policies). Regarding SSSD side options. Maybe we should add a stronger mode for ad_gpo_implicit_deny to "only allow explicitly allowed" users/groups not only deny access if there are no applicable GPOs. I think such option would be good hardening option, but it would basically ignore all Deny rules on the server (OTOH if someone wants to allow only whitelisted users/groups they would not use deny rules, so that is actually not a problem). Will you file an RFE or should I? Feel free to copy paste this discussion to the ticket. Michal
Currently your only way is to actually define the GPO on the AD server. I would probably put it to a separate GPO, something like access_control_gpo and define these rules there:
Allow log on locally Allow log on through remote desktop sevices Allow log on as a service Allow log on as a batch job Access this computer from the network
Define these rules and put Administrators group to all of them. Then you can add whatever user/group you want to login (you are probably mostly interested in the Allow log on locally and Allow log on through remote desktop services if you are using default PAM to GPO rule mapping, but it is still better to define all these rules explicitly if you really want a complete whitelist on the server).
Or alternatively make all GPOs on the server not applicable to the SSSD host (but I agree that this is kind of clumsy solution if you have many GPOs, so it is better to go with the above and define the policies).
Regarding SSSD side options. Maybe we should add a stronger mode for ad_gpo_implicit_deny to "only allow explicitly allowed" users/groups not only deny access if there are no applicable GPOs. I think such option would be good hardening option, but it would basically ignore all Deny rules on the server (OTOH if someone wants to allow only whitelisted users/groups they would not use deny rules, so that is actually not a problem). Will you file an RFE or should I? Feel free to copy paste this discussion to the ticket.
Michal
Metadata Update from @mzidek: - Issue assigned to mzidek
Metadata Update from @thalman: - Issue tagged with: Future milestone
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5061
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.