Hi!
I'm laborating with using GPO to restrict logon. Nothing fancy, no modifications made to GPO-parts of sssd.conf but just out-of-the-box. The GPO is set to be enforced.
The idea is to let at least two categories of user accounts to be able to login via ssh; category 1 must use public/private key authentication and category 2 uses Kerberos. The groups "pubKeyUsers" and "KerberosUsers" are both added to "Allow log on through Terminal Services" GPO-setting.
The "Authenticated Users"-group is being added by default when creating a GPO and logon is working as intended; "pubKeyUsers" must use key logon and "KerberosUsers" uses Kerberospassword. Users with no membership in either group are denied logon.
When replacing "Authenticated users"-group with groups containing the server account and groups "pubKeyUsers" and "KerberosUsers" to the GPO's Security Filtering it breaks. Members of "pubKeyUsers" needs to authenticate through Kerberospassword (the public/private key authentication is ignored), "KerberosUsers" are allowed as well as any other domain user.
I have also tried "loopback processing" as no user account have any GPO's applied, but servers only.
It seems that SSSD doesn't honor Security Filtering but for "Authenticed Users"-group only. Is that true? How is SSSD handling Security Filtering?
Regards Davor Vusir
On Tue, 2015-09-15 at 21:19 +0200, Davor Vusir wrote:
Hi!
I'm laborating with using GPO to restrict logon. Nothing fancy, no modifications made to GPO-parts of sssd.conf but just out-of-the- box. The GPO is set to be enforced.
The idea is to let at least two categories of user accounts to be able to login via ssh; category 1 must use public/private key authentication and category 2 uses Kerberos. The groups "pubKeyUsers" and "KerberosUsers" are both added to "Allow log on through Terminal Services" GPO-setting.
The "Authenticated Users"-group is being added by default when creating a GPO and logon is working as intended; "pubKeyUsers" must use key logon and "KerberosUsers" uses Kerberospassword. Users with no membership in either group are denied logon.
When replacing "Authenticated users"-group with groups containing the server account and groups "pubKeyUsers" and "KerberosUsers" to the GPO's Security Filtering it breaks. Members of "pubKeyUsers" needs to authenticate through Kerberospassword (the public/private key authentication is ignored), "KerberosUsers" are allowed as well as any other domain user.
I have also tried "loopback processing" as no user account have any GPO's applied, but servers only.
It seems that SSSD doesn't honor Security Filtering but for "Authenticed Users"-group only. Is that true? How is SSSD handling Security Filtering?
Handling of the Security Filtering GPO features hasn't been implemented. We really only handle the relatively simple "Allow logon *" functionality. Please file an enhancement request to support Security Filtering.
Stephen Gallagher skrev den 2015-09-16 18:38:
On Tue, 2015-09-15 at 21:19 +0200, Davor Vusir wrote:
Hi!
I'm laborating with using GPO to restrict logon. Nothing fancy, no modifications made to GPO-parts of sssd.conf but just out-of-the- box. The GPO is set to be enforced.
The idea is to let at least two categories of user accounts to be able to login via ssh; category 1 must use public/private key authentication and category 2 uses Kerberos. The groups "pubKeyUsers" and "KerberosUsers" are both added to "Allow log on through Terminal Services" GPO-setting.
The "Authenticated Users"-group is being added by default when creating a GPO and logon is working as intended; "pubKeyUsers" must use key logon and "KerberosUsers" uses Kerberospassword. Users with no membership in either group are denied logon.
When replacing "Authenticated users"-group with groups containing the server account and groups "pubKeyUsers" and "KerberosUsers" to the GPO's Security Filtering it breaks. Members of "pubKeyUsers" needs to authenticate through Kerberospassword (the public/private key authentication is ignored), "KerberosUsers" are allowed as well as any other domain user.
I have also tried "loopback processing" as no user account have any GPO's applied, but servers only.
It seems that SSSD doesn't honor Security Filtering but for "Authenticed Users"-group only. Is that true? How is SSSD handling Security Filtering?
Handling of the Security Filtering GPO features hasn't been implemented. We really only handle the relatively simple "Allow logon *" functionality. Please file an enhancement request to support Security Filtering.
Aha. I see. SSSD checks whether there is a GPO linked to the OU and then checks for for user account or groups.
Thank you for the information.
Regards Davor Vusir
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org