2.6. Group Policy Object Access Control
Group Policy is a Microsoft Windows feature that enables administrators to centrally manage policies for users and computers in Active Directory (AD) environments. A group policy object (GPO) is a collection of policy settings that are stored on a domain controller (DC) and can be applied to policy targets, such as computers and users. GPO policy settings related to Windows logon rights are commonly used to manage computer-based access control in AD environments.
2.6.1. How SSSD Works with GPO Access Control
When you configure SSSD to apply GPO access control, SSSD retrieves GPOs applicable to host systems and AD users. Based on the retrieved GPO configuration, SSSD determines if a user is allowed to log in to a particular host. This enables the administrator to define login policies honored by both Linux and Windows clients centrally on the AD domain controller.
Important
Security filtering is a feature that enables you to further limit the scope of GPO access control to specific users, groups, or hosts by listing them in the security filter. However, SSSD only supports users and groups in the security filter. SSSD ignores host entries in the security filter.
To ensure that SSSD applies the GPO access control to a specific system, create a new OU in the AD domain, move the system to the OU, and then link the GPO to this OU.
2.6.2. GPO Settings Supported by SSSD
GPO option [a] | Corresponding sssd.conf option [b] |
---|---|
Allow log on locally
Deny log on locally
| ad_gpo_map_interactive |
Allow log on through Remote Desktop Services
Deny log on through Remote Desktop Services
| ad_gpo_map_remote_interactive |
Access this computer from the network
Deny access to this computer from the network
| ad_gpo_map_network |
Allow log on as a batch job
Deny log on as a batch job
| ad_gpo_map_batch |
Allow log on as a service
Deny log on as a service
| ad_gpo_map_service |
[a]
As named in the Group Policy Management Editor on Windows.
[b]
See the sssd-ad(5) man page for details about these options and for lists of pluggable authentication module (PAM) services to which the GPO options are mapped by default.
|
2.6.3. Configuring GPO-based Access Control for SSSD
GPO-based access control can be configured in the
/etc/sssd/sssd.conf
file. The ad_gpo_access_control
option specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
- The
permissive
value specifies that GPO-based access control is evaluated but not enforced; asyslog
message is recorded every time access would be denied. This is the default setting. ad_gpo_access_control = enforcing
- The
enforcing
value specifies that GPO-based access control is evaluated and enforced. ad_gpo_access_control = disabled
- The
disabled
value specifies that GPO-based access control is neither evaluated nor enforced.
Important
Before starting to use the GPO-based access control and setting
ad_gpo_access_control
to enforcing mode, it is recommended to ensure that ad_gpo_access_control
is set to permissive mode and examine the logs. By reviewing the syslog
messages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
The following parameters related to the GPO-based access control can also be specified in the
sssd.conf
file:
- The
ad_gpo_map_*
options and thead_gpo_default_right
option configure which PAM services are mapped to specific Windows logon rights.To add a PAM service to the default list of PAM services mapped to a specific GPO setting, or to remove the service from the list, use thead_gpo_map_*
options. For example, to remove thesu
service from the list of PAM services mapped to interactive login (GPO settings Allow log on locally and Deny log on locally):ad_gpo_map_interactive = -su
- The
ad_gpo_cache_timeout
option specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
For a detailed list of available GPO parameters as well as their descriptions and default values, see the sssd-ad(5) man page.
2.6.4. Additional Resources
- For more details on configuring SSSD to work with GPOs, see Configure SSSD to respect Active Directory SSH or Console/GUI GPOs in Red Hat Knowledgebase.