What you are trying to do, looks like RBAC.
You have 2 main options to deal with your need
1) Allow server access using the sssd.conf file and using ad_access_filter,
using this option, you can use an AD group called: allowed_to_access_this
Then in AD you just have to make your users member of this group.
If they are not member they will be prompted for their credentials, but
2) it is a mixed of sshd_config and sudoers, where you can also use AD
group as long as they have GID of course
user Allow_Groups in sshd_config, if you do not everyone will have access
use sudoers to limit their permissions
On Thu, Jun 11, 2020 at 8:27 AM Sangster, Mark <m.v.sangster(a)abdn.ac.uk>
I wish the control to be external to the system. It allows us to
people by dept/courses/etc and add them to systems when desired, rather
than having to change SSSD periodically. So management within AD is
I did sort of figure that PAM was going to be the local user control but
wasn't sure if SSSD could handle that as well. Thanks!
Also, thank you Personne that looks like what I need to do.
From: patrick.hush(a)comcast.net <patrick.hush(a)comcast.net>
Sent: 10 June 2020 16:24
To: End-user discussions about the System Security Services Daemon <
sssd-users(a)lists.fedorahosted.org>; Sangster, Mark <
Subject: Re: [SSSD-users] Access Filters
CAUTION: External email. Ensure this message is from a trusted source
before clicking links/attachments.
Rather than filtering off a single group, why not use the
simple_allow_groups key value? This will allow mulitiple groups to access
the system should the need ever arise.
For the local users, that is outside sssd for the most part, look at your
pam configs and nsswitch.
> On June 10, 2020 at 5:42 AM "Sangster, Mark"
> I was attempting to utilise the AD provider for access control, however
I cannot make it work with members of nested groups. i.e. when using the
> This functions:
> access_provider = ldap
> ldap_sasl_authid = SERVER$@DOMAIN
> ldap_access_filter =
> This doesn’t:
> access_provider = ad
> ad_access_filter =
> Have I missed anything?
> It would also be useful if it is possible to allow local users access
alongside the remote users. e.g. allow both “domain_account” and
“local_account” access. Is that possible?
> Mark Sangster
> Server Infrastructure Specialist
> Information Technology Services | University of Aberdeen
> t: +44 (0)1224 27-3315 | e: mailto:firstname.lastname@example.org | u:
> The University of Aberdeen is a charity registered in Scotland, No
> Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir.
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
> unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> List Guidelines:
> List Archives:
The University of Aberdeen is a charity registered in Scotland, No
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines