Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

4.6. Applying Group Policy Object access control in RHEL

A Group Policy Object (GPO) is a collection of access control settings stored in Microsoft Active Directory (AD) that can apply to computers and users in an AD environment. By specifying GPOs in AD, administrators can define login policies honored by both Windows clients and Red Hat Enterprise Linux (RHEL) hosts joined to AD.

4.6.1. How SSSD interprets GPO access control rules
复制链接

By default, SSSD retrieves Group Policy Objects (GPOs) from Active Directory (AD) domain controllers and evaluates them to determine if a user is allowed to log in to a particular RHEL host joined to AD.

SSSD maps AD Windows Logon Rights to Pluggable Authentication Module (PAM) service names to enforce those permissions in a GNU/Linux environment.

As an AD Administrator, you can limit the scope of GPO rules to specific users, groups, or hosts by listing them in a security filter.

Limitations on filtering by groups
SSSD currently does not support Active Directory’s built-in groups, such as Administrators with Security Identifier (SID) S-1-5-32-544. Red Hat recommends against using AD built-in groups in AD GPOs targeting RHEL hosts.

4.6.2. List of GPO settings that SSSD supports
复制链接

The following table shows the SSSD options that correspond to Active Directory GPO options as specified in the Group Policy Management Editor on Windows.

Expand
表 4.1. GPO access control options retrieved by SSSD
GPO optionCorresponding sssd.conf option

Allow log on locally

Deny log on locally

ad_gpo_map_interactive

Allow log on through Remote Desktop Services

Deny log on through Remote Desktop Services

ad_gpo_map_remote_interactive

Access this computer from the network

Deny access to this computer from the network

ad_gpo_map_network

Allow log on as a batch job

Deny log on as a batch job

ad_gpo_map_batch

Allow log on as a service

Deny log on as a service

ad_gpo_map_service

4.6.3. List of SSSD options to control GPO enforcement
复制链接

You can set the following SSSD options to limit the scope of GPO rules.

The ad_gpo_access_control option
You can set the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to choose between three different modes in which GPO-based access control operates.
Expand
表 4.2. Table of ad_gpo_access_control values
Value of ad_gpo_access_controlBehavior

enforcing

GPO-based access control rules are evaluated and enforced. This is the default setting in RHEL 8.

permissive

GPO-based access control rules are evaluated but not enforced; a syslog message is recorded every time access would be denied. This is the default setting in RHEL 7. This mode is ideal for testing policy adjustments while allowing users to continue logging in.

disabled

GPO-based access control rules are neither evaluated nor enforced.

The ad_gpo_implicit_deny option
The ad_gpo_implicit_deny option is set to False by default. In this default state, users are allowed access if applicable GPOs are not found. If you set this option to True, you must explicitly allow users access with a GPO rule.

You can use this feature to harden security, but be careful not to deny access unintentionally. Red Hat recommends testing this feature while ad_gpo_access_control is set to permissive.

The following two tables illustrate when a user is allowed or rejected access based on the allow and deny login rights defined on the AD server-side and the value of ad_gpo_implicit_deny.

Expand
表 4.3. Login behavior with ad_gpo_implicit_deny set to False (default)
allow-rulesdeny-rulesresult

missing

missing

all users are allowed

missing

present

only users not in deny-rules are allowed

present

missing

only users in allow-rules are allowed

present

present

only users in allow-rules and not in deny-rules are allowed

Expand
表 4.4. Login behavior with ad_gpo_implicit_deny set to True
allow-rulesdeny-rulesresult

missing

missing

no users are allowed

missing

present

no users are allowed

present

missing

only users in allow-rules are allowed

present

present

only users in allow-rules and not in deny-rules are allowed

4.6.4. Changing the GPO access control mode
复制链接

This procedure changes how GPO-based access control rules are evaluated and enforced on a RHEL host joined to an Active Directory (AD) environment.

In this example, you will change the GPO operation mode from enforcing (the default) to permissive for testing purposes.

重要

If you see the following errors, Active Directory users are unable to log in due to GPO-based access controls:

  • In /var/log/secure: 

    Oct 31 03:00:13 client1 sshd[124914]: pam_sss(sshd:account): Access denied for user aduser1: 6 (Permission denied)
Oct 31 03:00:13 client1 sshd[124914]: Failed password for aduser1 from 127.0.0.1 port 60509 ssh2
Oct 31 03:00:13 client1 sshd[124914]: fatal: Access denied for user aduser1 by PAM account configuration [preauth]

  • In /var/log/sssd/sssd__example.com_.log: 

    (Sat Oct 31 03:00:13 2020) [sssd[be[example.com]]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access check failed: [1432158236](Host Access Denied)
(Sat Oct 31 03:00:13 2020) [sssd[be[example.com]]] [ad_gpo_cse_done] (0x0040): HBAC processing failed: [1432158236](Host Access Denied}
(Sat Oct 31 03:00:13 2020) [sssd[be[example.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.

If this is undesired behavior, you can temporarily set ad_gpo_access_control to permissive as described in this procedure while you troubleshoot proper GPO settings in AD.

Prerequisites

  • You have joined a RHEL host to an AD environment using SSSD.
  • Editing the /etc/sssd/sssd.conf configuration file requires root permissions.

Procedure

  1. Stop the SSSD service. 

    [root@server ~]# systemctl stop sssd
  2. Open the /etc/sssd/sssd.conf file in a text editor.

  3. Set ad_gpo_access_control to permissive in the domain section for the AD domain. 

    [domain/example.com]
ad_gpo_access_control=permissive
...
  4. Save the /etc/sssd/sssd.conf file.

  5. Restart the SSSD service to load configuration changes. 

    [root@server ~]# systemctl restart sssd

A Group Policy Object (GPO) is a collection of access control settings stored in Microsoft Active Directory (AD) that can apply to computers and users in an AD environment. The following procedure creates a GPO in the AD graphical user interface (GUI) to control logon access to a RHEL host that is integrated directly to the AD domain.

Prerequisites

  • You have joined a RHEL host to an AD environment using SSSD.
  • You have AD Administrator privileges to make changes in AD using the GUI.

Procedure

  1. Within Active Directory Users and Computers, create an Organizational Unit (OU) to associate with the new GPO:

    1. Right-click the domain.
    2. Choose New.
    3. Choose Organizational Unit.
  2. Click the name of the Computer Object that represents the RHEL host (created when it joined Active Directory) and drag it into the new OU. By having the RHEL host in its own OU, the GPO targets this host.

  3. Within the Group Policy Management Editor, create a new GPO for the OU you created:

    1. Expand Forest.
    2. Expand Domains.
    3. Expand your domain.
    4. Right-click the new OU.
    5. Choose Create a GPO in this domain.
  4. Specify a name for the new GPO, such as Allow SSH access or Allow Console/GUI access and click OK.

  5. Edit the new GPO:

    1. Select the OU within the Group Policy Management Editor.
    2. Right-click and choose Edit.
    3. Select User Rights Assignment.
    4. Select Computer Configuration.
    5. Select Policies.
    6. Select Windows Settings.
    7. Select Security Settings.
    8. Select Local Policies.
    9. Select User Rights Assignment.

  6. Assign login permissions:

    1. Double-Click Allow log on locally to grant local console/GUI access.
    2. Double-click Allow log on through Remote Desktop Services to grant SSH access.

  7. Add the user(s) you want to access either of these policies to the policies themselves:

    1. Click Add User or Group.
    2. Enter the username within the blank field.
    3. Click OK.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部