Red Hat Training

A Red Hat training course is available for Red Hat Linux

2.5. Group Policy Object Access Control

Group Policy is a Microsoft Windows feature that enables administrators to centrally manage policies for users and computers in Active Directory (AD) environments. A group policy object (GPO) is a collection of policy settings that are stored on a domain controller (DC) and can be applied to policy targets, such as computers and users. GPO policy settings related to Windows logon rights are commonly used to manage computer-based access control in AD environments.

2.5.1. How SSSD Works with GPO Access Control

When you configure SSSD to apply GPO access control, SSSD retrieves GPOs applicable to host systems and AD users. Based on the retrieved GPO configuration, SSSD determines if a user is allowed to log in to a particular host. This enables the administrator to define login policies honored by both Linux and Windows clients centrally on the AD domain controller.

Important

Security filtering is a feature that enables you to further limit the scope of GPO access control to specific users, groups, or hosts by listing them in the security filter. However, SSSD only supports users and groups in the security filter. SSSD ignores host entries in the security filter.
To ensure that SSSD applies the GPO access control to a specific system, create a new OU in the AD domain, move the system to the OU, and then link the GPO to this OU.

2.5.2. GPO Settings Supported by SSSD

Table 2.2. GPO access control options retrieved by SSSD

GPO option [a] Corresponding sssd.conf option [b]
Allow log on locally
Deny log on locally
ad_gpo_map_interactive
Allow log on through Remote Desktop Services
Deny log on through Remote Desktop Services
ad_gpo_map_remote_interactive
Access this computer from the network
Deny access to this computer from the network
ad_gpo_map_network
Allow log on as a batch job
Deny log on as a batch job
ad_gpo_map_batch
Allow log on as a service
Deny log on as a service
ad_gpo_map_service
[a] As named in the Group Policy Management Editor on Windows.
[b] See the sssd-ad(5) man page for details about these options and for lists of pluggable authentication module (PAM) services to which the GPO options are mapped by default.

2.5.3. Configuring GPO-based Access Control for SSSD

GPO-based access control can be configured in the /etc/sssd/sssd.conf file. The ad_gpo_access_control option specifies the mode in which the GPO-based access control runs. It can be set to the following values:
ad_gpo_access_control = permissive
The permissive value specifies that GPO-based access control is evaluated but not enforced; a syslog message is recorded every time access would be denied. This is the default setting.
ad_gpo_access_control = enforcing
The enforcing value specifies that GPO-based access control is evaluated and enforced.
ad_gpo_access_control = disabled
The disabled value specifies that GPO-based access control is neither evaluated nor enforced.

Important

Before starting to use the GPO-based access control and setting ad_gpo_access_control to enforcing mode, it is recommended to ensure that ad_gpo_access_control is set to permissive mode and examine the logs. By reviewing the syslog messages, you can test and adjust the current GPO settings as necessary before finally setting the enforcing mode.
The following parameters related to the GPO-based access control can also be specified in the sssd.conf file:
  • The ad_gpo_map_* options and the ad_gpo_default_right option configure which PAM services are mapped to specific Windows logon rights.
    To add a PAM service to the default list of PAM services mapped to a specific GPO setting, or to remove the service from the list, use the ad_gpo_map_* options. For example, to remove the su service from the list of PAM services mapped to interactive login (GPO settings Allow log on locally and Deny log on locally):
    ad_gpo_map_interactive = -su
  • The ad_gpo_cache_timeout option specifies the interval during which subsequent access control requests can reuse the files stored in the cache, instead of retrieving them from the DC anew.
For a detailed list of available GPO parameters as well as their descriptions and default values, see the sssd-ad(5) man page.

2.5.4. Additional Resources