3.7. Managing Login Permissions for Domain Users
By default, domain-side access control is applied, which means that login policies for domain users are defined in the domain itself. This default behavior can be overridden so that client-side access control is used. With client-side access control, login permission are defined by local policies only.
If a domain applies client-side access control, you can use the
realmd
system to configure basic allow or deny access rules for users from that domain. Note that these access rules either allow or deny access to all services on the system. More specific access rules must be set on a specific system resource or in the domain.
To set the access rules, use the following two commands:
realm deny
- The
realm deny
command simply denies access to all users within the domain. Use this command with the--all
option. realm permit
- The
realm permit
command can be used to:- grant access to all users by using the
--all
option, for example:$ realm permit --all
- grant access to specified users, for example:
$ realm permit user@example.com $ realm permit 'AD.EXAMPLE.COM\user'
- deny access to specified users by using the
-x
option, for example:$ realm permit -x 'AD.EXAMPLE.COM\user'
Note that allowing access currently only works for users in primary domains, not for users in trusted domains. This is because while user logins must contain the domain name, SSSD currently cannot provide
realmd
with information about available child domains.
Important
It is safer to only allow access to specifically selected users or groups than to deny access to some, while enabling it to everyone else. Therefore, it is not recommended to allow access to all by default while only denying it to specified users with
realm permit -x
. Instead, Red Hat recommends to maintain a default no access policy for all users and only grant access to selected users using realm permit
.
For more information about the
realm deny
and realm permit
commands, see the realm(8) man page.