[SSSD-users]Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On Thu, Oct 3, 2019, at 9:15 PM, Alex Perl wrote: > Implemented AD/KRB/SSSD with both RH6 and RH7. > > RH7 no issues, as we are using auto_private_groups that was added to 1.16.1. > > In RH6 the issue ( sssd 1.13 ) is, that all users getting the same > groups and it is a clear security gap. > > The only way to avoid this, based on the KB articles, is to use AD > posix attributes. If we don't waht to use this setup, is there any > other recommended way ? > In my experience, even with AD POSIX attributes where a GID is assigned to the user, the group name does not resolve without auto_private_groups unless there is an associated an AD group with the same GID. In my example, we assigned uid=gid attributes unique to each user. Probably the best way to close the security gap on RH6 is to enforce a umask of 077. > The example of user/group representation, where all users getting the > same gid=273200513(domain users) : > > id username uid=2755191114(ncircle) gid=273200513(domain users) > groups=273200513(domain users) V/r, James Cassell ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
Implemented AD/KRB/SSSD with both RH6 and RH7. RH7 no issues, as we are using auto_private_groups that was added to 1.16.1. In RH6 the issue ( sssd 1.13 ) is, that all users getting the same groups and it is a clear security gap. The only way to avoid this, based on the KB articles, is to use AD posix attributes. If we don't waht to use this setup, is there any other recommended way ? The example of user/group representation, where all users getting the same gid=273200513(domain users) : id username uid=2755191114(ncircle) gid=273200513(domain users) groups=273200513(domain users) ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: AD user is granted access when it should be denied
Hi, The docs for ad_gpo_implicit_deny reads: "Normally when no applicable GPOs are found the users are allowed access. When this option is set to True users will be allowed access only when explicitly allowed by a GPO rule. Otherwise users will be denied access. This can be used to harden security but be careful when using this option because it can deny access even to users in the built-in Administrators group if no GPO rules apply to them." In my case, there are GPOs found, it's just that none of them touches RemoteInteractiveLogonRight or DenyRemoteInteractiveLogonRight. Does ad_gpo_implicit_deny work in such a way that it's only effective when no (0) GPOs are found? That might explain the behaviour I'm seeing. If this is the case, I suggest that ad_gpo_implicit_deny should be effective also when none of the detected GPOs explicitly allows or denies remote logon. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org