2.6. Group Policy Object Access Control
Group Policy is a Microsoft Windows feature that enables administrators to centrally manage policies for users and computers in Active Directory (AD) environments. A group policy object (GPO) is a collection of policy settings that are stored on a domain controller (DC) and can be applied to policy targets, such as computers and users. GPO policy settings related to Windows logon rights are commonly used to manage computer-based access control in AD environments.
2.6.1. How SSSD Works with GPO Access Control
When you configure SSSD to apply GPO access control, SSSD retrieves GPOs applicable to host systems and AD users. Based on the retrieved GPO configuration, SSSD determines if a user is allowed to log in to a particular host. This enables the administrator to define login policies honored by both Linux and Windows clients centrally on the AD domain controller.
Security filtering is a feature that enables you to further limit the scope of GPO access control to specific users, groups, or hosts by listing them in the security filter. However, SSSD only supports users and groups in the security filter. SSSD ignores host entries in the security filter.
To ensure that SSSD applies the GPO access control to a specific system, create a new OU in the AD domain, move the system to the OU, and then link the GPO to this OU.
2.6.2. GPO Settings Supported by SSSD
Table 2.2. GPO access control options retrieved by SSSD
|GPO option [a]|| Corresponding |
Allow log on locally
Deny log on locally
Allow log on through Remote Desktop Services
Deny log on through Remote Desktop Services
Access this computer from the network
Deny access to this computer from the network
Allow log on as a batch job
Deny log on as a batch job
Allow log on as a service
Deny log on as a service
[a] As named in the Group Policy Management Editor on Windows.
[b] See the sssd-ad(5) man page for details about these options and for lists of pluggable authentication module (PAM) services to which the GPO options are mapped by default.
2.6.3. Configuring GPO-based Access Control for SSSD
GPO-based access control can be configured in the
ad_gpo_access_controloption specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
permissivevalue specifies that GPO-based access control is evaluated but not enforced; a
syslogmessage is recorded every time access would be denied. This is the default setting.
ad_gpo_access_control = enforcing
enforcingvalue specifies that GPO-based access control is evaluated and enforced.
ad_gpo_access_control = disabled
disabledvalue specifies that GPO-based access control is neither evaluated nor enforced.
Before starting to use the GPO-based access control and setting
ad_gpo_access_controlto enforcing mode, it is recommended to ensure that
ad_gpo_access_controlis set to permissive mode and examine the logs. By reviewing the
syslogmessages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
The following parameters related to the GPO-based access control can also be specified in the
ad_gpo_map_*options and the
ad_gpo_default_rightoption configure which PAM services are mapped to specific Windows logon rights.To add a PAM service to the default list of PAM services mapped to a specific GPO setting, or to remove the service from the list, use the
ad_gpo_map_*options. For example, to remove the
suservice from the list of PAM services mapped to interactive login (GPO settings Allow log on locally and Deny log on locally):
ad_gpo_map_interactive = -su
ad_gpo_cache_timeoutoption specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
For a detailed list of available GPO parameters as well as their descriptions and default values, see the sssd-ad(5) man page.
2.6.4. Additional Resources
- For more details on configuring SSSD to work with GPOs, see Configure SSSD to respect Active Directory SSH or Console/GUI GPOs in Red Hat Knowledgebase.