On Wed, Dec 04, 2019 at 09:58:00AM -0600, Spike White wrote:
We have an AD-based sssd configuration that is working. For RHEL6, 7 and 8.
We've done thorough lab testing + pilot projects. All good (with certain
Currently, we're using access_provider = simple, with the appropriate
simple_allow_groups and simple_allow_users lines in /etc/sssd/sssd.conf.
A reviewer mentioned we should be using access_provider = ad +
/etc/security/access.conf file to restrict access. (We have pam_access.so
in our pam stack already, to disallow direct root login and other limited
Obviously that second approach would work too.
The claim is the first approach would allow in AD accounts with expired
passwords and locked accounts. Whereas the second approach would not.
This is correct. If would be an issue if you had used a different auth
method than passwords, like ssh keys, then locked accounts could log in.
The best way would be if sssd implemented account provider stacking so
that you could say:
btw since you are already using AD, wouldn't it be best to implement
GPOs and use GPOs for access control, at least on RHEL-7 and 8?
I'm attempting to test this claim -- I have an account I can lock easily.
But does anyone have any best practices for access_provider?
The advantage of this first approach is that it's already coded and
thoroughly tested. The pilot projects use this.
The one advantage of the second approach that I'm certain of is that RHEL6
does not have a realm permit command. So to permit a user or group in
RHEL6 using the first approach is different between RHEL6 and 7/8. (To me,
that's not huge.)
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines