3.7. Managing Login Permissions for Domain Users

By default, domain-side access control is applied, which means that login policies for domain users are defined in the domain itself. This default behavior can be overridden so that client-side access control is used. With client-side access control, login permission are defined by local policies only.
If a domain applies client-side access control, you can use the realmd system to configure basic allow or deny access rules for users from that domain. Note that these access rules either allow or deny access to all services on the system. More specific access rules must be set on a specific system resource or in the domain.
To set the access rules, use the following two commands:
realm deny
The realm deny command simply denies access to all users within the domain. Use this command with the --all option.
realm permit
The realm permit command can be used to:
  • grant access to all users by using the --all option, for example:
    $ realm permit --all
  • grant access to specified users, for example:
    $ realm permit user@example.com
    $ realm permit 'AD.EXAMPLE.COM\user'
    
  • deny access to specified users by using the -x option, for example:
    $ realm permit -x 'AD.EXAMPLE.COM\user'
Note that allowing access currently only works for users in primary domains, not for users in trusted domains. This is because while user logins must contain the domain name, SSSD currently cannot provide realmd with information about available subdomains.

Important

It is safer to only allow access to specifically selected users or groups than to deny access to some, while enabling it to everyone else. Therefore, it is not recommended to allow access to all by default while only denying it to specified users with realm permit -x. Instead, Red Hat recommends to maintain a default no access policy for all users and only grant access to selected users using realm permit.
For more information about the realm deny and realm permit commands, see the realm(8) man page.