Hello,
We've got a RHEL 6.9 system in testing for AD integration. We have to
use 6.x due to compatibility issues with software that will eventually
be deployed to the system so moving to RHEL 7.3 isn't an option.
Currently we're working on getting SSSD integrated with AD on this box.
So far everything except GPO restrictions are working. Users can login
via their AD credentials, their groups are enumerated, home directories
are made automatically, etc. The only piece left is GPO based access
restrictions. We'd really like to use AD GPOs to set who can and can't
login via SSH. To this end we've made a new OU for the Linux server,
placed it's AD object in the OU, and attached a GPO to the OU with a
test user account in the "Deny log on through Remote Desktop Services"
policy setting. So far this hasn't been working and the test account
can always login through SSH.
The SSSD system can see the GPOs attached to the OU all the way up to
the domain root, but does not think any of the GPOs apply to it. We've
got "ad_gpo_access_control = enforcing" set in sssd.conf but it doesn't
seem to be doing anything. According to the logs SSSD is parsing all
the GPO LDAP attributes then deciding none of the GPOs apply, without
parsing the GPO INI files themselves. I have confirmed manually that
the server's Kerberos credentials will return results via LDAP queries
and can mount the domain SYSVOL share as well as read the GPO files in
the share. So I'm not sure why SSSD won't apply the GPO settings. I've
attached a sanitized sssd.conf file and selected parts of the
sssd_ad.domain.com.log file to this post. Here's the relevant version
info:
RHEL 6.9 - Linux
ad-lnx-test.ad.domain.com 2.6.32-696.1.1.el6.x86_64 #1
SMP Tue Mar 21 12:19:18 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
yum info sssd:
Name : sssd
Arch : x86_64
Version : 1.13.3
Release : 56.el6
Size : 34 k
Repo : installed
From repo : rhel-6-server-rpms
Any thoughts on why this isn't working are much appreciated.
--
-Donald