Language and Page Formatting Options
3.7. Managing Login Permissions for Domain Users
By default, domain-side access control is applied, which means that login policies for domain users are defined in the domain itself. This default behavior can be overridden so that client-side access control is used. With client-side access control, login permission are defined by local policies only.
If a domain applies client-side access control, you can use the
realmdsystem to configure basic allow or deny access rules for users from that domain. Note that these access rules either allow or deny access to all services on the system. More specific access rules must be set on a specific system resource or in the domain.
To set the access rules, use the following two commands:
realm denycommand simply denies access to all users within the domain. Use this command with the
realm permitcommand can be used to:
- grant access to all users by using the
--alloption, for example:
$ realm permit --all
- grant access to specified users, for example:
$ realm permit firstname.lastname@example.org $ realm permit 'AD.EXAMPLE.COM\user'
- deny access to specified users by using the
-xoption, for example:
$ realm permit -x 'AD.EXAMPLE.COM\user'
Note that allowing access currently only works for users in primary domains, not for users in trusted domains. This is because while user logins must contain the domain name, SSSD currently cannot provide
realmdwith information about available child domains.
It is safer to only allow access to specifically selected users or groups than to deny access to some, while enabling it to everyone else. Therefore, it is not recommended to allow access to all by default while only denying it to specified users with
realm permit -x. Instead, Red Hat recommends to maintain a default no access policy for all users and only grant access to selected users using
For more information about the
realm permitcommands, see the realm(8) man page.