On 10/10/19 11:43 AM, Emil Petersson wrote:
Ok, thanks, that explains it.
All I want is a way to make sure that a user, which I have not explicitly allowed access, is denied. In other words... default behaviour for all logins should always be DENY, regardless of number of GPOs found. Obviously, a GPO that does contain access control rules should override this default behavior.
Right now we are forced to fall back to either "access_provider=simple" or "ad_access_filter" just to make sure that the default behavior for logins are DENY, which unfortunately defeats the whole idea of using GPO for access control.
Any advice on how to achieve my desired functionality is appreciated.
Thanks!
Currently your only way is to actually define the GPO on the AD server. I would probably put it to a separate GPO, something like access_control_gpo and define these rules there:
Allow log on locally Allow log on through remote desktop sevices Allow log on as a service Allow log on as a batch job Access this computer from the network
Define these rules and put Administrators group to all of them. Then you can add whatever user/group you want to login (you are probably mostly interested in the Allow log on locally and Allow log on through remote desktop services if you are using default PAM to GPO rule mapping, but it is still better to define all these rules explicitly if you really want a complete whitelist on the server).
Or alternatively make all GPOs on the server not applicable to the SSSD host (but I agree that this is kind of clumsy solution if you have many GPOs, so it is better to go with the above and define the policies).
Regarding SSSD side options. Maybe we should add a stronger mode for ad_gpo_implicit_deny to "only allow explicitly allowed" users/groups not only deny access if there are no applicable GPOs. I think such option would be good hardening option, but it would basically ignore all Deny rules on the server (OTOH if someone wants to allow only whitelisted users/groups they would not use deny rules, so that is actually not a problem). Will you file an RFE or should I? Feel free to copy paste this discussion to the ticket.
Michal