Hi,
I am running sssd-1.16.4-21.el7.x86_64 (from CR repo) on a CentOS 7 client. I authenticate to AD 2016, and control access to servers using GPO. For some reason, a completely unprivileged user in AD is allowed to login, and I'd like to understand why.
Here's a sanitized sssd.conf:
[sssd] domains = prd.domain.com config_file_version = 2 services = nss, pam, sudo full_name_format = %1$s default_domain_suffix = prd.domain.com
[domain/prd.domain.com] debug_level = 9 ad_domain = prd.domain.com ad_site = XX1 ad_server = dc000.prd.domain.com, dc001.prd.domain.com krb5_realm = PRD.DOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = false id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = True fallback_homedir = /home/%u access_provider = ad ldap_sudo_search_base = DC=domain,DC=com entry_cache_sudo_timeout = 10 enumerate = true dyndns_update = false ad_gpo_access_control = enforcing ldap_idmap_default_domain_sid = S-1-5-21-6607581186-1994368826-2594857426 ldap_idmap_default_domain = prd.domain.com ad_gpo_implicit_deny = true auto_private_groups = true ad_gpo_ignore_unreadable = true
When I try to SSH to the client using my unprivileged user, I am getting the following output from the SSSD debug:
[sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [*S-1-5-32-546] [ad_gpo_access_check] (0x0400): RESULTANT POLICY: [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive [ad_gpo_access_check] (0x0400): allowed_size = 0 [ad_gpo_access_check] (0x0400): denied_size = 1 [ad_gpo_access_check] (0x0400): denied_sids[0] = S-1-5-32-546 ... snip ... [ad_gpo_access_check] (0x0400): CURRENT USER: [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-6607581186-1994368826-2594857426-2570 [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-6607581186-1994368826-2594857426-513 [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11 [ad_gpo_access_check] (0x0400): POLICY DECISION: [ad_gpo_access_check] (0x0400): access_granted = 1 [ad_gpo_access_check] (0x0400): access_denied = 0 [ad_gpo_access_done] (0x0400): GPO-based access control successful.
I'm trying to understand why this user is being granted access. I find it especially confusing as there is clearly one deny sid and no allow sids detected. The wanted behaviour is that the user should be denied access as long as I've not explicitly allowed it in AD.
Thanks!