Chapter 23. Policy: Group Policy Object Access Control
Group Policy is a Microsoft Windows feature that enables administrators to centrally manage policies for users and computers in AD environments. A group policy object (GPO) is a collection of policy settings, such as name and value pairs, that are stored on a domain controller (DC) and can be applied to policy targets, such as computers and users.
GPO policy settings related to Windows logon rights are commonly used to manage computer-based access control in AD environments. SSSD can retrieve GPOs applicable to host systems and AD users; based on the retrieved GPO configuration, it determines if a user is allowed to log on to a particular host. Therefore, with the GPO-based access control provided by SSSD, the administrator can define login policies that are honored by both Red Hat Enterprise Linux and Windows clients centrally on the AD DC.
Note
SSSD only allows using GPO for the computer-based access control. Other GPO-related access control options are currently not supported.
Warning
Note that SSSD only handles rules that apply to a whole site, domain, or AD organizational unit (OU). If you want to apply the SSSD-supported GPO-based access control to a specific machine, you can create a new OU in the AD domain, move the machine to the OU, and then link the GPO to this OU.
23.1. Configuring GPO-Based Access Control
GPO-based access control can be configured in the
/etc/sssd/sssd.conf
file. The ad_gpo_access_control
option specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
- The
permissive
value specifies that GPO-based access control is evaluated but not enforced; asyslog
message is recorded every time access would be denied. This is the default setting. ad_gpo_access_control = enforcing
- The
enforcing
value specifies that GPO-based access control is evaluated and enforced. ad_gpo_access_control = disabled
- The
disabled
value specifies that GPO-based access control is neither evaluated nor enforced.
Important
Before starting to use the GPO-based access control and setting
ad_gpo_access_control
to enforcing mode, it is recommended to ensure that ad_gpo_access_control
is set to permissive mode and examine the logs. By reviewing the syslog
messages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
The following parameters related to the GPO-based access control can also be specified in the
sssd.conf
file:
- The
ad_gpo_map_*
options and thead_gpo_default_right
option configure which PAM services are mapped to specific Windows logon rights. - The
ad_gpo_cache_timeout
option specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
For a detailed list of available GPO parameters as well as their descriptions and default values, see the sssd-ad(5) man page.