sssd-ad.5.xml revision b22e0da9e644f5eb84ee0c8986979fec3fe7eb56
97a9a944b5887e91042b019776c41d5dd74557aferikabele<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
97a9a944b5887e91042b019776c41d5dd74557aferikabele"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </refmeta>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </refnamediv>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd This manual page describes the configuration of the AD provider
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <citerefentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </citerefentry>.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <citerefentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </citerefentry> manual page.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The AD provider is a back end used to connect to an Active
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Directory server. This provider requires that the machine be
06ba4a61654b3763ad65f52283832ebf058fdf1cslive joined to the AD domain and a keytab is available.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem The AD provider supports connecting to Active Directory 2008 R2
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem or later. Earlier versions may work, but are unsupported.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The AD provider is able to provide identity information and
06ba4a61654b3763ad65f52283832ebf058fdf1cslive authentication for entities from trusted domains as well. Currently
06ba4a61654b3763ad65f52283832ebf058fdf1cslive only trusted domains in the same forest are recognized.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The AD provider accepts the same options used by the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <citerefentry>
f0a393c5c2d7de58f447855369ad2fbfa254e544rbowen </citerefentry> identity provider and the
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <citerefentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </citerefentry> authentication provider with some exceptions described
117c1f888a14e73cdd821dc6c23eb0411144a41cnd However, it is neither necessary nor recommended to set these
117c1f888a14e73cdd821dc6c23eb0411144a41cnd options. The AD provider can also be used as an access, chpass and
117c1f888a14e73cdd821dc6c23eb0411144a41cnd sudo provider. No configuration of the access provider is required
117c1f888a14e73cdd821dc6c23eb0411144a41cnd on the client side.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd By default, the AD provider will map UID and GID values from the
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd objectSID parameter in Active Directory. For details on this, see
f0a393c5c2d7de58f447855369ad2fbfa254e544rbowen the <quote>ID MAPPING</quote> section below. If you want to
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd disable ID mapping and instead rely on POSIX attributes defined in
4c36c711036219c80d5517d35be68a4769c15291slive Active Directory, you should set
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <programlisting>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndldap_id_mapping = False
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </programlisting>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd In order to retrieve users and groups using POSIX attributes from trusted
f0a393c5c2d7de58f447855369ad2fbfa254e544rbowen domains, the AD administrator must make sure that the POSIX attributes
06ba4a61654b3763ad65f52283832ebf058fdf1cslive are replicated to the Global Catalog.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Users, groups and other entities served by SSSD are always treated as
b95ae799514ad86a15610ad75808d7065e9847c9kess case-insensitive in the AD provider for compatibility with Active
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Directory's LDAP implementation.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </refsect1>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <citerefentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </citerefentry> manual page for details on the configuration of an SSSD domain.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <variablelist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Specifies the name of the Active Directory domain.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem This is optional. If not provided, the
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem configuration domain name is used.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive For proper operation, this option should be
97a9a944b5887e91042b019776c41d5dd74557aferikabele specified as the lower-case version of the long
06ba4a61654b3763ad65f52283832ebf058fdf1cslive version of the Active Directory domain.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The short domain name (also known as the NetBIOS
97a9a944b5887e91042b019776c41d5dd74557aferikabele or the flat name) is autodetected by the SSSD.
4c36c711036219c80d5517d35be68a4769c15291slive </listitem>
4c36c711036219c80d5517d35be68a4769c15291slive </varlistentry>
4c36c711036219c80d5517d35be68a4769c15291slive <varlistentry>
4c36c711036219c80d5517d35be68a4769c15291slive The comma-separated list of
4c36c711036219c80d5517d35be68a4769c15291slive hostnames of the AD servers to which SSSD should
4c36c711036219c80d5517d35be68a4769c15291slive connect in order of preference. For more
4c36c711036219c80d5517d35be68a4769c15291slive information on failover and server redundancy, see
4c36c711036219c80d5517d35be68a4769c15291slive This is optional if autodiscovery is enabled.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd For more information on service discovery, refer
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
f0a393c5c2d7de58f447855369ad2fbfa254e544rbowen </varlistentry>
f0a393c5c2d7de58f447855369ad2fbfa254e544rbowen <varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd Optional. May be set on machines where the
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd hostname(5) does not reflect the fully qualified
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd name used in the Active Directory domain to
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd identify this host.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd This field is used to determine the host principal
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd in use in the keytab. It must match the hostname
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd for which the keytab was issued.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
97a9a944b5887e91042b019776c41d5dd74557aferikabele <varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Enables DNS sites - location based
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem service discovery.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive If true and service discovery (see Service
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Discovery paragraph at the bottom of the man page)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive is enabled, the SSSD will first attempt to discover
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the Active Directory server to connect to using the
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Active Directory Site Discovery and fall back to
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the DNS SRV records if no AD site is found. The
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem DNS SRV configuration, including the discovery
06ba4a61654b3763ad65f52283832ebf058fdf1cslive domain, is used during site discovery as well.
97a9a944b5887e91042b019776c41d5dd74557aferikabele Default: true
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive This option specifies LDAP access control
06ba4a61654b3763ad65f52283832ebf058fdf1cslive filter that the user must match in order
06ba4a61654b3763ad65f52283832ebf058fdf1cslive to be allowed access. Please note that the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive for this option to have an effect.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The option also supports specifying different
06ba4a61654b3763ad65f52283832ebf058fdf1cslive filters per domain or forest. This
06ba4a61654b3763ad65f52283832ebf058fdf1cslive extended filter would consist of:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the domain or subdomain the filter applies to.
97a9a944b5887e91042b019776c41d5dd74557aferikabele then the filter equals to all domains from the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Multiple filters can be separated with the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive search bases work.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The most specific match is always used. For
06ba4a61654b3763ad65f52283832ebf058fdf1cslive example, if the option specified filter
06ba4a61654b3763ad65f52283832ebf058fdf1cslive for a domain the user is a member of and a
06ba4a61654b3763ad65f52283832ebf058fdf1cslive global filter, the per-domain filter would
06ba4a61654b3763ad65f52283832ebf058fdf1cslive be applied. If there are more matches with
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the same specification, the first one is used.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <programlisting>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem# apply filter on domain called dom1 only:
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluemdom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem# apply filter on domain called dom2 only:
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluemDOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
97a9a944b5887e91042b019776c41d5dd74557aferikabele# apply filter on forest called EXAMPLE.COM only:
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndFOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </programlisting>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd Default: Not set
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd Specify AD site to which client should try to connect.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd If this option is not provided, the AD site will be
06ba4a61654b3763ad65f52283832ebf058fdf1cslive auto-discovered.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Default: Not set
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem By default, the SSSD connects to the Global
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Catalog first to retrieve users from trusted
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem domains and uses the LDAP port to retrieve
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem group memberships or as a fallback. Disabling
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem this option makes the SSSD only connect to
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the LDAP port of the current AD server.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Please note that disabling Global Catalog support
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem does not disable retrieving users from trusted
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem domains. The SSSD would connect to the LDAP port
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem of trusted domains instead. However, Global
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Catalog must be used in order to resolve
06ba4a61654b3763ad65f52283832ebf058fdf1cslive cross-domain group memberships.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Default: true
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive This option specifies the operation mode for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive GPO-based access control functionality:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive whether it operates in disabled mode, enforcing
97a9a944b5887e91042b019776c41d5dd74557aferikabele mode, or permissive mode. Please note that the
97a9a944b5887e91042b019776c41d5dd74557aferikabele this option to have an effect.
97a9a944b5887e91042b019776c41d5dd74557aferikabele GPO-based access control functionality uses GPO
97a9a944b5887e91042b019776c41d5dd74557aferikabele policy settings to determine whether or not a
97a9a944b5887e91042b019776c41d5dd74557aferikabele particular user is allowed to logon to a particular
97a9a944b5887e91042b019776c41d5dd74557aferikabele NOTE: If the operation mode is set to enforcing, it
97a9a944b5887e91042b019776c41d5dd74557aferikabele is possible that users that were previously allowed
97a9a944b5887e91042b019776c41d5dd74557aferikabele logon access will now be denied logon access (as
06ba4a61654b3763ad65f52283832ebf058fdf1cslive dictated by the GPO policy settings). In order to
06ba4a61654b3763ad65f52283832ebf058fdf1cslive facilitate a smooth transition for administrators,
06ba4a61654b3763ad65f52283832ebf058fdf1cslive a permissive mode is available that will not enforce
97a9a944b5887e91042b019776c41d5dd74557aferikabele the access control rules, but will evaluate them and
97a9a944b5887e91042b019776c41d5dd74557aferikabele will output a syslog message if access would have
74a6de79356cd15d2e47065087785e36dd65aa41nd been denied. By examining the logs, administrators
97a9a944b5887e91042b019776c41d5dd74557aferikabele can then make the necessary changes before setting
97a9a944b5887e91042b019776c41d5dd74557aferikabele the mode to enforcing.
97a9a944b5887e91042b019776c41d5dd74557aferikabele There are three supported values for this option:
97a9a944b5887e91042b019776c41d5dd74557aferikabele <itemizedlist>
97a9a944b5887e91042b019776c41d5dd74557aferikabele disabled: GPO-based access control rules
97a9a944b5887e91042b019776c41d5dd74557aferikabele are neither evaluated nor enforced.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
97a9a944b5887e91042b019776c41d5dd74557aferikabele enforcing: GPO-based access control
97a9a944b5887e91042b019776c41d5dd74557aferikabele rules are evaluated and enforced.
97a9a944b5887e91042b019776c41d5dd74557aferikabele permissive: GPO-based access control
97a9a944b5887e91042b019776c41d5dd74557aferikabele rules are evaluated, but not enforced.
97a9a944b5887e91042b019776c41d5dd74557aferikabele Instead, a syslog message will be
97a9a944b5887e91042b019776c41d5dd74557aferikabele emitted indicating that the user would
97a9a944b5887e91042b019776c41d5dd74557aferikabele have been denied access if this option's
06ba4a61654b3763ad65f52283832ebf058fdf1cslive value were set to enforcing.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
97a9a944b5887e91042b019776c41d5dd74557aferikabele </itemizedlist>
97a9a944b5887e91042b019776c41d5dd74557aferikabele Default: permissive
97a9a944b5887e91042b019776c41d5dd74557aferikabele </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
97a9a944b5887e91042b019776c41d5dd74557aferikabele The amount of time between lookups of GPO policy
97a9a944b5887e91042b019776c41d5dd74557aferikabele files against the AD server. This will reduce the
97a9a944b5887e91042b019776c41d5dd74557aferikabele latency and load on the AD server if there are
97a9a944b5887e91042b019776c41d5dd74557aferikabele many access-control requests made in a short
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: 5 (seconds)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem A comma-separated list of PAM service names for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive which GPO-based access control is evaluated based on
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the InteractiveLogonRight and
06ba4a61654b3763ad65f52283832ebf058fdf1cslive DenyInteractiveLogonRight policy settings.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Note: Using the Group Policy Management Editor this
06ba4a61654b3763ad65f52283832ebf058fdf1cslive value InteractiveLogonRight is called "Allow log on
06ba4a61654b3763ad65f52283832ebf058fdf1cslive locally" and "Deny log on locally".
06ba4a61654b3763ad65f52283832ebf058fdf1cslive It is possible to add another PAM service name
06ba4a61654b3763ad65f52283832ebf058fdf1cslive to the default set by using <quote>+service_name</quote>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive or to explicitly remove a PAM service name from
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the default set by using <quote>-service_name</quote>.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive For example, in order to replace a default PAM service
06ba4a61654b3763ad65f52283832ebf058fdf1cslive with a custom pam service name (e.g. <quote>my_pam_service</quote>),
06ba4a61654b3763ad65f52283832ebf058fdf1cslive you would use the following configuration:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslivead_gpo_map_interactive = +my_pam_service, -login
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: the default set of PAM service names includes:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd </listitem>
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd <listitem>
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd gdm-fingerprint
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd </listitem>
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd <listitem>
97a9a944b5887e91042b019776c41d5dd74557aferikabele gdm-password
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive gdm-smartcard
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive A comma-separated list of PAM service names for
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem which GPO-based access control is evaluated based on
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem the RemoteInteractiveLogonRight and
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd DenyRemoteInteractiveLogonRight policy settings.
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd Note: Using the Group Policy Management Editor this
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd value is called "Allow log on through Remote Desktop
eaaa852423e42d6d86bcada80ed781a205fc3e5fnd Services" and "Deny log on through Remote Desktop
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem It is possible to add another PAM service name
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem to the default set by using <quote>+service_name</quote>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem or to explicitly remove a PAM service name from
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the default set by using <quote>-service_name</quote>.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive For example, in order to replace a default PAM service
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem with a custom pam service name (e.g. <quote>my_pam_service</quote>),
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem you would use the following configuration:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <programlisting>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluemad_gpo_map_remote_interactive = +my_pam_service, -sshd
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: the default set of PAM service names includes:
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <itemizedlist>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive A comma-separated list of PAM service names for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive which GPO-based access control is evaluated based on
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the NetworkLogonRight and DenyNetworkLogonRight
06ba4a61654b3763ad65f52283832ebf058fdf1cslive policy settings.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem It is possible to add another PAM service name
06ba4a61654b3763ad65f52283832ebf058fdf1cslive to the default set by using <quote>+service_name</quote>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive or to explicitly remove a PAM service name from
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the default set by using <quote>-service_name</quote>.
630c456b6461158be6cc5c5483735e27b13b4ad5nd For example, in order to replace a default PAM service
06ba4a61654b3763ad65f52283832ebf058fdf1cslive with a custom pam service name (e.g. <quote>my_pam_service</quote>),
06ba4a61654b3763ad65f52283832ebf058fdf1cslive you would use the following configuration:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslivead_gpo_map_network = +my_pam_service, -ftp
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: the default set of PAM service names includes:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <itemizedlist>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </itemizedlist>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem A comma-separated list of PAM service names for
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem which GPO-based access control is evaluated based on
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem the BatchLogonRight and DenyBatchLogonRight
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem policy settings.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive It is possible to add another PAM service name
06ba4a61654b3763ad65f52283832ebf058fdf1cslive to the default set by using <quote>+service_name</quote>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive or to explicitly remove a PAM service name from
97a9a944b5887e91042b019776c41d5dd74557aferikabele the default set by using <quote>-service_name</quote>.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive For example, in order to replace a default PAM service
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem name for this logon right (e.g. <quote>crond</quote>)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive with a custom pam service name (e.g. <quote>my_pam_service</quote>),
06ba4a61654b3763ad65f52283832ebf058fdf1cslive you would use the following configuration:
97a9a944b5887e91042b019776c41d5dd74557aferikabele <programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslivead_gpo_map_batch = +my_pam_service, -crond
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </programlisting>
97a9a944b5887e91042b019776c41d5dd74557aferikabele Default: the default set of PAM service names includes:
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <itemizedlist>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
4e3cdb85620921a8a120fe22edbccae708f4f34end </varlistentry>
4e3cdb85620921a8a120fe22edbccae708f4f34end <varlistentry>
4e3cdb85620921a8a120fe22edbccae708f4f34end A comma-separated list of PAM service names for
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem which GPO-based access control is evaluated based on
97a9a944b5887e91042b019776c41d5dd74557aferikabele the ServiceLogonRight and DenyServiceLogonRight
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem policy settings.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem It is possible to add a PAM service name to the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Since the default set is empty, it is not possible
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem to remove a PAM service name from the default set.
97a9a944b5887e91042b019776c41d5dd74557aferikabele For example, in order to add a custom pam service
06ba4a61654b3763ad65f52283832ebf058fdf1cslive would use the following configuration:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <programlisting>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluemad_gpo_map_service = +my_pam_service
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </programlisting>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Default: not set
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive A comma-separated list of PAM service names for
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem which GPO-based access is always granted, regardless
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem of any GPO Logon Rights.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive It is possible to add another PAM service name
06ba4a61654b3763ad65f52283832ebf058fdf1cslive to the default set by using <quote>+service_name</quote>
97a9a944b5887e91042b019776c41d5dd74557aferikabele or to explicitly remove a PAM service name from
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem the default set by using <quote>-service_name</quote>.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem For example, in order to replace a default PAM service
06ba4a61654b3763ad65f52283832ebf058fdf1cslive name for unconditionally permitted access (e.g. <quote>sudo</quote>)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive with a custom pam service name (e.g. <quote>my_pam_service</quote>),
06ba4a61654b3763ad65f52283832ebf058fdf1cslive you would use the following configuration:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslivead_gpo_map_permit = +my_pam_service, -sudo
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </programlisting>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Default: the default set of PAM service names includes:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </listitem>
22d5d84393d960a2027f472036f3fee15d7dbce9nd systemd-user
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive A comma-separated list of PAM service names for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive which GPO-based access is always denied, regardless
06ba4a61654b3763ad65f52283832ebf058fdf1cslive of any GPO Logon Rights.
97a9a944b5887e91042b019776c41d5dd74557aferikabele It is possible to add a PAM service name to the
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem Since the default set is empty, it is not possible
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem to remove a PAM service name from the default set.
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem For example, in order to add a custom pam service
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem would use the following configuration:
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <programlisting>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluemad_gpo_map_deny = +my_pam_service
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem </programlisting>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: not set
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd This option defines how access control is evaluated
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd for PAM service names that are not explicitly listed
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd in one of the ad_gpo_map_* options. This option can be
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd set in two different manners. First, this option can
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd be set to use a default logon right. For example, if
06ba4a61654b3763ad65f52283832ebf058fdf1cslive this option is set to 'interactive', it means that
06ba4a61654b3763ad65f52283832ebf058fdf1cslive unmapped PAM service names will be processed based on
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the InteractiveLogonRight and DenyInteractiveLogonRight
06ba4a61654b3763ad65f52283832ebf058fdf1cslive policy settings. Alternatively, this option can be set
06ba4a61654b3763ad65f52283832ebf058fdf1cslive to either always permit or always deny access for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive unmapped PAM service names.
97a9a944b5887e91042b019776c41d5dd74557aferikabele Supported values for this option include:
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive interactive
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd remote_interactive
627c978514c54179736d152923478be7c8707f9bnd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </itemizedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: deny
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
97a9a944b5887e91042b019776c41d5dd74557aferikabele </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Optional. This option tells SSSD to automatically
06ba4a61654b3763ad65f52283832ebf058fdf1cslive update the Active Directory DNS server with
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the IP address of this client. The update is
97a9a944b5887e91042b019776c41d5dd74557aferikabele secured using GSS-TSIG. As a consequence, the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Active Directory administrator only needs to
97a9a944b5887e91042b019776c41d5dd74557aferikabele allow secure updates for the DNS zone. The IP
06ba4a61654b3763ad65f52283832ebf058fdf1cslive address of the AD LDAP connection is used for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive the updates, if it is not otherwise specified
97a9a944b5887e91042b019776c41d5dd74557aferikabele NOTE: On older systems (such as RHEL 5), for this
06ba4a61654b3763ad65f52283832ebf058fdf1cslive behavior to work reliably, the default Kerberos
97a9a944b5887e91042b019776c41d5dd74557aferikabele Default: true
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd The TTL to apply to the client DNS record when updating it.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd If dyndns_update is false this has no effect. This will
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd override the TTL serverside if set by an administrator.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: 3600 (seconds)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
97a9a944b5887e91042b019776c41d5dd74557aferikabele Optional. Applicable only when dyndns_update
06ba4a61654b3763ad65f52283832ebf058fdf1cslive is true. Choose the interface whose IP address
06ba4a61654b3763ad65f52283832ebf058fdf1cslive should be used for dynamic DNS updates.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive NOTE: This option currently supports only one interface.
97a9a944b5887e91042b019776c41d5dd74557aferikabele Default: Use the IP address of the AD LDAP connection
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd </varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <varlistentry>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd <listitem>
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd How often should the back end perform periodic DNS update in
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd addition to the automatic update performed when the back end
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd goes online.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd This option is optional and applicable only when dyndns_update
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: 86400 (24 hours)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Whether the PTR record should also be explicitly
06ba4a61654b3763ad65f52283832ebf058fdf1cslive updated when updating the client's DNS records.
97a9a944b5887e91042b019776c41d5dd74557aferikabele Applicable only when dyndns_update is true.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: True
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
97a9a944b5887e91042b019776c41d5dd74557aferikabele </varlistentry>
bf380c59be3f235bde21f1c00098e09e3cf7e7aerpluem <varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Whether the nsupdate utility should default to using
06ba4a61654b3763ad65f52283832ebf058fdf1cslive TCP for communicating with the DNS server.
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen Default: False (let nsupdate choose the protocol)
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen </listitem>
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen </varlistentry>
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen <varlistentry>
8ac3ff7008df949c096f9cd8f769c7893594f61fnd <listitem>
0ccb6ee166750359937ae35d59c0beb54f8fd228rbowen Specifies if the user principal should be treated
06ba4a61654b3763ad65f52283832ebf058fdf1cslive as enterprise principal. See section 5 of RFC 6806
06ba4a61654b3763ad65f52283832ebf058fdf1cslive for more details about enterprise principals.
97a9a944b5887e91042b019776c41d5dd74557aferikabele Default: true
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Note that this default differs from the
06ba4a61654b3763ad65f52283832ebf058fdf1cslive traditional Kerberos provider back end.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </listitem>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varlistentry>
97a9a944b5887e91042b019776c41d5dd74557aferikabele Absolute path of a directory where SSSD should place
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Kerberos configuration snippets.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive To disable the creation of the configuration
06ba4a61654b3763ad65f52283832ebf058fdf1cslive snippets set the parameter to 'none'.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive Default: not set (krb5.include.d subdirectory of
97a9a944b5887e91042b019776c41d5dd74557aferikabele SSSD's pubconf directory)
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </varlistentry>
97a9a944b5887e91042b019776c41d5dd74557aferikabele </variablelist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </refsect1>
97a9a944b5887e91042b019776c41d5dd74557aferikabele <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_id_mapping.xml" />
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The following example assumes that SSSD is correctly
36088d24dae5b2cc8124264fc6a9ba349ba81adcrbowen configured and example.com is one of the domains in the
36088d24dae5b2cc8124264fc6a9ba349ba81adcrbowen <replaceable>[sssd]</replaceable> section. This example shows only
36088d24dae5b2cc8124264fc6a9ba349ba81adcrbowen the AD provider-specific options.
36088d24dae5b2cc8124264fc6a9ba349ba81adcrbowen<programlisting>
36088d24dae5b2cc8124264fc6a9ba349ba81adcrbowenid_provider = ad
06ba4a61654b3763ad65f52283832ebf058fdf1csliveauth_provider = ad
06ba4a61654b3763ad65f52283832ebf058fdf1csliveaccess_provider = ad
06ba4a61654b3763ad65f52283832ebf058fdf1cslivechpass_provider = ad
06ba4a61654b3763ad65f52283832ebf058fdf1cslive</programlisting>
36088d24dae5b2cc8124264fc6a9ba349ba81adcrbowen </refsect1>
97a9a944b5887e91042b019776c41d5dd74557aferikabele The AD access control provider checks if the account is expired.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive It has the same effect as the following configuration of the LDAP
06ba4a61654b3763ad65f52283832ebf058fdf1cslive<programlisting>
97a9a944b5887e91042b019776c41d5dd74557aferikabeleaccess_provider = ldap
1578daeec017d3bb20cecdcdc3b0261c999730d5sliveldap_access_order = expire
1578daeec017d3bb20cecdcdc3b0261c999730d5sliveldap_account_expire_policy = ad
1578daeec017d3bb20cecdcdc3b0261c999730d5slive</programlisting>
1578daeec017d3bb20cecdcdc3b0261c999730d5slive However, unless the <quote>ad</quote> access control provider
1578daeec017d3bb20cecdcdc3b0261c999730d5slive is explicitly configured, the default access provider is
1578daeec017d3bb20cecdcdc3b0261c999730d5slive <quote>permit</quote>. Please note that if you configure an
ab6f5669a4cb16dbff7d791d434ba1b9c9b50928nd access provider other than <quote>ad</quote>, you need to set
9f7f8f89dfb9115b0b9493049a6ca1ecd8508242rbowen all the connection parameters (such as LDAP URIs and encryption
06ba4a61654b3763ad65f52283832ebf058fdf1cslive details) manually.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive </refsect1>
9f7f8f89dfb9115b0b9493049a6ca1ecd8508242rbowen <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
06ba4a61654b3763ad65f52283832ebf058fdf1cslive</reference>