sssd-ad.5.xml revision b49c6abe12721ee8442be1c1bd6c15443b518ca2
7e68fce3cbd2246164e045a51ecd77f9f26680ednd<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
7e68fce3cbd2246164e045a51ecd77f9f26680ednd<reference>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </refmeta>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </refnamediv>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This manual page describes the configuration of the AD provider
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <citerefentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </citerefentry>.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <citerefentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </citerefentry> manual page.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The AD provider is a back end used to connect to an Active
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Directory server. This provider requires that the machine be
7e68fce3cbd2246164e045a51ecd77f9f26680ednd joined to the AD domain and a keytab is available.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The AD provider supports connecting to Active Directory 2008 R2
7e68fce3cbd2246164e045a51ecd77f9f26680ednd or later. Earlier versions may work, but are unsupported.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The AD provider is able to provide identity information and
7e68fce3cbd2246164e045a51ecd77f9f26680ednd authentication for entities from trusted domains as well. Currently
7e68fce3cbd2246164e045a51ecd77f9f26680ednd only trusted domains in the same forest are recognized.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The AD provider accepts the same options used by the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <citerefentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </citerefentry> identity provider and the
01c674544bd4c211141bcd9fb09b96ffc18c6c3dnd <citerefentry>
01c674544bd4c211141bcd9fb09b96ffc18c6c3dnd </citerefentry> authentication provider with some exceptions described
3726777f47ac4bba3e21b075905959bbea47e72eerikabele However, it is neither necessary nor recommended to set these
7e68fce3cbd2246164e045a51ecd77f9f26680ednd options. The AD provider can also be used as an access, chpass and
7e68fce3cbd2246164e045a51ecd77f9f26680ednd sudo provider. No configuration of the access provider is required
7e68fce3cbd2246164e045a51ecd77f9f26680ednd on the client side.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd By default, the AD provider will map UID and GID values from the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd objectSID parameter in Active Directory. For details on this, see
e5343521634b71f10f0e88374d88bd5a45f75f68nd the <quote>ID MAPPING</quote> section below. If you want to
7e68fce3cbd2246164e045a51ecd77f9f26680ednd disable ID mapping and instead rely on POSIX attributes defined in
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Active Directory, you should set
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
3726777f47ac4bba3e21b075905959bbea47e72eerikabeleldap_id_mapping = False
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd In order to retrieve users and groups using POSIX attributes from trusted
7e68fce3cbd2246164e045a51ecd77f9f26680ednd domains, the AD administrator must make sure that the POSIX attributes
bdbf46e4950b6f633073f803486962e82c2f086and are replicated to the Global Catalog.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Users, groups and other entities served by SSSD are always treated as
7e68fce3cbd2246164e045a51ecd77f9f26680ednd case-insensitive in the AD provider for compatibility with Active
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Directory's LDAP implementation.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </refsect1>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <citerefentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </citerefentry> manual page for details on the configuration of an SSSD domain.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <variablelist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Specifies the name of the Active Directory domain.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This is optional. If not provided, the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd configuration domain name is used.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For proper operation, this option should be
7e68fce3cbd2246164e045a51ecd77f9f26680ednd specified as the lower-case version of the long
7e68fce3cbd2246164e045a51ecd77f9f26680ednd version of the Active Directory domain.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The short domain name (also known as the NetBIOS
bdbf46e4950b6f633073f803486962e82c2f086and or the flat name) is autodetected by the SSSD.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The comma-separated list of
7e68fce3cbd2246164e045a51ecd77f9f26680ednd hostnames of the AD servers to which SSSD should
7e68fce3cbd2246164e045a51ecd77f9f26680ednd connect in order of preference. For more
7e68fce3cbd2246164e045a51ecd77f9f26680ednd information on failover and server redundancy, see
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This is optional if autodiscovery is enabled.
e5343521634b71f10f0e88374d88bd5a45f75f68nd For more information on service discovery, refer
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Optional. May be set on machines where the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd hostname(5) does not reflect the fully qualified
7e68fce3cbd2246164e045a51ecd77f9f26680ednd name used in the Active Directory domain to
7e68fce3cbd2246164e045a51ecd77f9f26680ednd identify this host.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This field is used to determine the host principal
7e68fce3cbd2246164e045a51ecd77f9f26680ednd in use in the keytab. It must match the hostname
7e68fce3cbd2246164e045a51ecd77f9f26680ednd for which the keytab was issued.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Enables DNS sites - location based
3726777f47ac4bba3e21b075905959bbea47e72eerikabele service discovery.
3726777f47ac4bba3e21b075905959bbea47e72eerikabele If true and service discovery (see Service
3726777f47ac4bba3e21b075905959bbea47e72eerikabele Discovery paragraph at the bottom of the man page)
3726777f47ac4bba3e21b075905959bbea47e72eerikabele is enabled, the SSSD will first attempt to discover
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the Active Directory server to connect to using the
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd Active Directory Site Discovery and fall back to
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the DNS SRV records if no AD site is found. The
7e68fce3cbd2246164e045a51ecd77f9f26680ednd DNS SRV configuration, including the discovery
7e68fce3cbd2246164e045a51ecd77f9f26680ednd domain, is used during site discovery as well.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: true
e5343521634b71f10f0e88374d88bd5a45f75f68nd </listitem>
e5343521634b71f10f0e88374d88bd5a45f75f68nd </varlistentry>
e5343521634b71f10f0e88374d88bd5a45f75f68nd <varlistentry>
e5343521634b71f10f0e88374d88bd5a45f75f68nd <listitem>
e5343521634b71f10f0e88374d88bd5a45f75f68nd This option specifies LDAP access control
7e68fce3cbd2246164e045a51ecd77f9f26680ednd filter that the user must match in order
bdbf46e4950b6f633073f803486962e82c2f086and to be allowed access. Please note that the
bdbf46e4950b6f633073f803486962e82c2f086and for this option to have an effect.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The option also supports specifying different
7e68fce3cbd2246164e045a51ecd77f9f26680ednd filters per domain or forest. This
d177004a74b061338daf7f2603197d673ed76d36kess extended filter would consist of:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the domain or subdomain the filter applies to.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd then the filter equals to all domains from the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Multiple filters can be separated with the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd search bases work.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The most specific match is always used. For
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd example, if the option specified filter
7e68fce3cbd2246164e045a51ecd77f9f26680ednd for a domain the user is a member of and a
3726777f47ac4bba3e21b075905959bbea47e72eerikabele global filter, the per-domain filter would
7e68fce3cbd2246164e045a51ecd77f9f26680ednd be applied. If there are more matches with
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd the same specification, the first one is used.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
480bee29abcc415b6b8c18d2ecbf2c5f88f1f05bnd# apply filter on domain called dom1 only:
7e68fce3cbd2246164e045a51ecd77f9f26680ednddom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd# apply filter on domain called dom2 only:
7e68fce3cbd2246164e045a51ecd77f9f26680edndDOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd# apply filter on forest called EXAMPLE.COM only:
7e68fce3cbd2246164e045a51ecd77f9f26680edndFOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: Not set
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd By default, the SSSD connects to the Global
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Catalog first to retrieve users from trusted
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd domains and uses the LDAP port to retrieve
7e68fce3cbd2246164e045a51ecd77f9f26680ednd group memberships or as a fallback. Disabling
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd this option makes the SSSD only connect to
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the LDAP port of the current AD server.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Please note that disabling Global Catalog support
7e68fce3cbd2246164e045a51ecd77f9f26680ednd does not disable retrieving users from trusted
7e68fce3cbd2246164e045a51ecd77f9f26680ednd domains. The SSSD would connect to the LDAP port
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd of trusted domains instead. However, Global
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Catalog must be used in order to resolve
3726777f47ac4bba3e21b075905959bbea47e72eerikabele cross-domain group memberships.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: true
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This option specifies the operation mode for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd GPO-based access control functionality:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd whether it operates in disabled mode, enforcing
3726777f47ac4bba3e21b075905959bbea47e72eerikabele mode, or permissive mode. Please note that the
3726777f47ac4bba3e21b075905959bbea47e72eerikabele this option to have an effect.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd GPO-based access control functionality uses GPO
7e68fce3cbd2246164e045a51ecd77f9f26680ednd policy settings to determine whether or not a
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd particular user is allowed to logon to a particular
7e68fce3cbd2246164e045a51ecd77f9f26680ednd NOTE: If the operation mode is set to enforcing, it
7e68fce3cbd2246164e045a51ecd77f9f26680ednd is possible that users that were previously allowed
7e68fce3cbd2246164e045a51ecd77f9f26680ednd logon access will now be denied logon access (as
7e68fce3cbd2246164e045a51ecd77f9f26680ednd dictated by the GPO policy settings). In order to
7e68fce3cbd2246164e045a51ecd77f9f26680ednd facilitate a smooth transition for administrators,
7e68fce3cbd2246164e045a51ecd77f9f26680ednd a permissive mode is available that will not enforce
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the access control rules, but will evaluate them and
7e68fce3cbd2246164e045a51ecd77f9f26680ednd will output a syslog message if access would have
7e68fce3cbd2246164e045a51ecd77f9f26680ednd been denied. By examining the logs, administrators
7e68fce3cbd2246164e045a51ecd77f9f26680ednd can then make the necessary changes before setting
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd the mode to enforcing.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd There are three supported values for this option:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd disabled: GPO-based access control rules
8cfbcde8e416fd60132dd4324c42a5098da156cfnd are neither evaluated nor enforced.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd enforcing: GPO-based access control
7e68fce3cbd2246164e045a51ecd77f9f26680ednd rules are evaluated and enforced.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd permissive: GPO-based access control
7e68fce3cbd2246164e045a51ecd77f9f26680ednd rules are evaluated, but not enforced.
3726777f47ac4bba3e21b075905959bbea47e72eerikabele Instead, a syslog message will be
7e68fce3cbd2246164e045a51ecd77f9f26680ednd emitted indicating that the user would
3726777f47ac4bba3e21b075905959bbea47e72eerikabele have been denied access if this option's
7e68fce3cbd2246164e045a51ecd77f9f26680ednd value were set to enforcing.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </itemizedlist>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd Default: permissive
8cfbcde8e416fd60132dd4324c42a5098da156cfnd </listitem>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd </varlistentry>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <varlistentry>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <listitem>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd The amount of time between lookups of GPO policy
8cfbcde8e416fd60132dd4324c42a5098da156cfnd files against the AD server. This will reduce the
8cfbcde8e416fd60132dd4324c42a5098da156cfnd latency and load on the AD server if there are
8cfbcde8e416fd60132dd4324c42a5098da156cfnd many access-control requests made in a short
8cfbcde8e416fd60132dd4324c42a5098da156cfnd Default: 5 (seconds)
8cfbcde8e416fd60132dd4324c42a5098da156cfnd </listitem>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd </varlistentry>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <varlistentry>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <listitem>
99e4eb246ec234156eb878835d4e1b4e2f48c499nd A comma-separated list of PAM service names for
99e4eb246ec234156eb878835d4e1b4e2f48c499nd which GPO-based access control is evaluated based on
99e4eb246ec234156eb878835d4e1b4e2f48c499nd the InteractiveLogonRight and
99e4eb246ec234156eb878835d4e1b4e2f48c499nd DenyInteractiveLogonRight policy settings.
c804424d87da28b21a0eece7e377a4075c7784ednd Note: Using the Group Policy Management Editor this
c804424d87da28b21a0eece7e377a4075c7784ednd value InteractiveLogonRight is called "Allow log on
c804424d87da28b21a0eece7e377a4075c7784ednd locally" and "Deny log on locally".
c804424d87da28b21a0eece7e377a4075c7784ednd It is possible to add another PAM service name
c804424d87da28b21a0eece7e377a4075c7784ednd or to explicitly remove a PAM service name from
c804424d87da28b21a0eece7e377a4075c7784ednd For example, in order to replace a default PAM service
8cfbcde8e416fd60132dd4324c42a5098da156cfnd with a custom pam service name (e.g. <quote>my_pam_service</quote>),
8cfbcde8e416fd60132dd4324c42a5098da156cfnd you would use the following configuration:
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <programlisting>
8cfbcde8e416fd60132dd4324c42a5098da156cfndad_gpo_map_interactive = +my_pam_service, -login
99e4eb246ec234156eb878835d4e1b4e2f48c499nd </programlisting>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd Default: the default set of PAM service names includes:
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <itemizedlist>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <listitem>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd </listitem>
8cfbcde8e416fd60132dd4324c42a5098da156cfnd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd gdm-fingerprint
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd gdm-password
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
d177004a74b061338daf7f2603197d673ed76d36kess gdm-smartcard
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd A comma-separated list of PAM service names for
65241490e40aa0c831988073eed0633dad10c6f2nd which GPO-based access control is evaluated based on
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the RemoteInteractiveLogonRight and
65241490e40aa0c831988073eed0633dad10c6f2nd DenyRemoteInteractiveLogonRight policy settings.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Note: Using the Group Policy Management Editor this
7e68fce3cbd2246164e045a51ecd77f9f26680ednd value is called "Allow log on through Remote Desktop
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Services" and "Deny log on through Remote Desktop
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd Services".
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It is possible to add another PAM service name
65241490e40aa0c831988073eed0633dad10c6f2nd or to explicitly remove a PAM service name from
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For example, in order to replace a default PAM service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd with a custom pam service name (e.g. <quote>my_pam_service</quote>),
7e68fce3cbd2246164e045a51ecd77f9f26680ednd you would use the following configuration:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndad_gpo_map_remote_interactive = +my_pam_service, -sshd
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: the default set of PAM service names includes:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd A comma-separated list of PAM service names for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd which GPO-based access control is evaluated based on
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the NetworkLogonRight and DenyNetworkLogonRight
7e68fce3cbd2246164e045a51ecd77f9f26680ednd policy settings.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It is possible to add another PAM service name
7e68fce3cbd2246164e045a51ecd77f9f26680ednd or to explicitly remove a PAM service name from
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For example, in order to replace a default PAM service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd with a custom pam service name (e.g. <quote>my_pam_service</quote>),
7e68fce3cbd2246164e045a51ecd77f9f26680ednd you would use the following configuration:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndad_gpo_map_network = +my_pam_service, -ftp
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: the default set of PAM service names includes:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd A comma-separated list of PAM service names for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd which GPO-based access control is evaluated based on
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the BatchLogonRight and DenyBatchLogonRight
7e68fce3cbd2246164e045a51ecd77f9f26680ednd policy settings.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It is possible to add another PAM service name
7e68fce3cbd2246164e045a51ecd77f9f26680ednd or to explicitly remove a PAM service name from
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For example, in order to replace a default PAM service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd with a custom pam service name (e.g. <quote>my_pam_service</quote>),
7e68fce3cbd2246164e045a51ecd77f9f26680ednd you would use the following configuration:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndad_gpo_map_batch = +my_pam_service, -crond
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
65241490e40aa0c831988073eed0633dad10c6f2nd Default: the default set of PAM service names includes:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </varlistentry>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele A comma-separated list of PAM service names for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd which GPO-based access control is evaluated based on
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd the ServiceLogonRight and DenyServiceLogonRight
7e68fce3cbd2246164e045a51ecd77f9f26680ednd policy settings.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It is possible to add a PAM service name to the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Since the default set is empty, it is not possible
7e68fce3cbd2246164e045a51ecd77f9f26680ednd to remove a PAM service name from the default set.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For example, in order to add a custom pam service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd would use the following configuration:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndad_gpo_map_service = +my_pam_service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: not set
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd A comma-separated list of PAM service names for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd which GPO-based access is always granted, regardless
7e68fce3cbd2246164e045a51ecd77f9f26680ednd of any GPO Logon Rights.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It is possible to add another PAM service name
7e68fce3cbd2246164e045a51ecd77f9f26680ednd or to explicitly remove a PAM service name from
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For example, in order to replace a default PAM service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd name for unconditionally permitted access (e.g. <quote>sudo</quote>)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd with a custom pam service name (e.g. <quote>my_pam_service</quote>),
7e68fce3cbd2246164e045a51ecd77f9f26680ednd you would use the following configuration:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndad_gpo_map_permit = +my_pam_service, -sudo
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: the default set of PAM service names includes:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
d3cd98e7839dd1c737c18d42a916ed20860a50e1nd <listitem>
b09970a14a3280b9e4e449dea6e53968fc206731nd </listitem>
b09970a14a3280b9e4e449dea6e53968fc206731nd <listitem>
b09970a14a3280b9e4e449dea6e53968fc206731nd systemd-user
b09970a14a3280b9e4e449dea6e53968fc206731nd </listitem>
b09970a14a3280b9e4e449dea6e53968fc206731nd </itemizedlist>
b09970a14a3280b9e4e449dea6e53968fc206731nd </listitem>
b09970a14a3280b9e4e449dea6e53968fc206731nd </varlistentry>
b09970a14a3280b9e4e449dea6e53968fc206731nd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd A comma-separated list of PAM service names for
3726777f47ac4bba3e21b075905959bbea47e72eerikabele which GPO-based access is always denied, regardless
7e68fce3cbd2246164e045a51ecd77f9f26680ednd of any GPO Logon Rights.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It is possible to add a PAM service name to the
3726777f47ac4bba3e21b075905959bbea47e72eerikabele Since the default set is empty, it is not possible
3726777f47ac4bba3e21b075905959bbea47e72eerikabele to remove a PAM service name from the default set.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd For example, in order to add a custom pam service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd would use the following configuration:
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndad_gpo_map_deny = +my_pam_service
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: not set
480bee29abcc415b6b8c18d2ecbf2c5f88f1f05bnd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This option defines how access control is evaluated
7e68fce3cbd2246164e045a51ecd77f9f26680ednd for PAM service names that are not explicitly listed
7e68fce3cbd2246164e045a51ecd77f9f26680ednd in one of the ad_gpo_map_* options. This option can be
7e68fce3cbd2246164e045a51ecd77f9f26680ednd set in two different manners. First, this option can
3726777f47ac4bba3e21b075905959bbea47e72eerikabele be set to use a default logon right. For example, if
3726777f47ac4bba3e21b075905959bbea47e72eerikabele this option is set to 'interactive', it means that
7e68fce3cbd2246164e045a51ecd77f9f26680ednd unmapped PAM service names will be processed based on
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the InteractiveLogonRight and DenyInteractiveLogonRight
7e68fce3cbd2246164e045a51ecd77f9f26680ednd policy settings. Alternatively, this option can be set
7e68fce3cbd2246164e045a51ecd77f9f26680ednd to either always permit or always deny access for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd unmapped PAM service names.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Supported values for this option include:
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd interactive
7e68fce3cbd2246164e045a51ecd77f9f26680ednd remote_interactive
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </itemizedlist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: deny
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Optional. This option tells SSSD to automatically
3726777f47ac4bba3e21b075905959bbea47e72eerikabele update the Active Directory DNS server with
3726777f47ac4bba3e21b075905959bbea47e72eerikabele the IP address of this client. The update is
3726777f47ac4bba3e21b075905959bbea47e72eerikabele secured using GSS-TSIG. As a consequence, the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Active Directory administrator only needs to
7e68fce3cbd2246164e045a51ecd77f9f26680ednd allow secure updates for the DNS zone. The IP
7e68fce3cbd2246164e045a51ecd77f9f26680ednd address of the AD LDAP connection is used for
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the updates, if it is not otherwise specified
7e68fce3cbd2246164e045a51ecd77f9f26680ednd NOTE: On older systems (such as RHEL 5), for this
7e68fce3cbd2246164e045a51ecd77f9f26680ednd behavior to work reliably, the default Kerberos
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: true
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The TTL to apply to the client DNS record when updating it.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd If dyndns_update is false this has no effect. This will
7e68fce3cbd2246164e045a51ecd77f9f26680ednd override the TTL serverside if set by an administrator.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: 3600 (seconds)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Optional. Applicable only when dyndns_update
7e68fce3cbd2246164e045a51ecd77f9f26680ednd is true. Choose the interface whose IP address
3726777f47ac4bba3e21b075905959bbea47e72eerikabele should be used for dynamic DNS updates.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: Use the IP address of the AD LDAP connection
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd How often should the back end perform periodic DNS update in
7e68fce3cbd2246164e045a51ecd77f9f26680ednd addition to the automatic update performed when the back end
7e68fce3cbd2246164e045a51ecd77f9f26680ednd goes online.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd This option is optional and applicable only when dyndns_update
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: 86400 (24 hours)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Whether the PTR record should also be explicitly
7e68fce3cbd2246164e045a51ecd77f9f26680ednd updated when updating the client's DNS records.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Applicable only when dyndns_update is true.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: True
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Whether the nsupdate utility should default to using
7e68fce3cbd2246164e045a51ecd77f9f26680ednd TCP for communicating with the DNS server.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: False (let nsupdate choose the protocol)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
480bee29abcc415b6b8c18d2ecbf2c5f88f1f05bnd </varlistentry>
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Specifies if the user principal should be treated
7e68fce3cbd2246164e045a51ecd77f9f26680ednd as enterprise principal. See section 5 of RFC 6806
7e68fce3cbd2246164e045a51ecd77f9f26680ednd for more details about enterprise principals.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: true
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Note that this default differs from the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd traditional Kerberos provider back end.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Absolute path of a directory where SSSD should place
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Kerberos configuration snippets.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd To disable the creation of the configuration
7e68fce3cbd2246164e045a51ecd77f9f26680ednd snippets set the parameter to 'none'.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd Default: not set (krb5.include.d subdirectory of
7e68fce3cbd2246164e045a51ecd77f9f26680ednd SSSD's pubconf directory)
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </listitem>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </varlistentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </variablelist>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </refsect1>
480bee29abcc415b6b8c18d2ecbf2c5f88f1f05bnd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
3726777f47ac4bba3e21b075905959bbea47e72eerikabele <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_id_mapping.xml" />
7e68fce3cbd2246164e045a51ecd77f9f26680ednd The following example assumes that SSSD is correctly
7e68fce3cbd2246164e045a51ecd77f9f26680ednd configured and example.com is one of the domains in the
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <replaceable>[sssd]</replaceable> section. This example shows only
7e68fce3cbd2246164e045a51ecd77f9f26680ednd the AD provider-specific options.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd<programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680edndid_provider = ad
7e68fce3cbd2246164e045a51ecd77f9f26680edndauth_provider = ad
7e68fce3cbd2246164e045a51ecd77f9f26680edndaccess_provider = ad
7e68fce3cbd2246164e045a51ecd77f9f26680edndchpass_provider = ad
7e68fce3cbd2246164e045a51ecd77f9f26680ednd</programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </refsect1>
bdbf46e4950b6f633073f803486962e82c2f086and The AD access control provider checks if the account is expired.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd It has the same effect as the following configuration of the LDAP
bdbf46e4950b6f633073f803486962e82c2f086and<programlisting>
bdbf46e4950b6f633073f803486962e82c2f086andaccess_provider = ldap
4e5d76cd516a36223b6e73a8000c879a5675e436ndldap_access_order = expire
7e68fce3cbd2246164e045a51ecd77f9f26680edndldap_account_expire_policy = ad
7e68fce3cbd2246164e045a51ecd77f9f26680ednd</programlisting>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd However, unless the <quote>ad</quote> access control provider
7e68fce3cbd2246164e045a51ecd77f9f26680ednd is explicitly configured, the default access provider is
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <quote>permit</quote>. Please note that if you configure an
7e68fce3cbd2246164e045a51ecd77f9f26680ednd access provider other than <quote>ad</quote>, you need to set
7e68fce3cbd2246164e045a51ecd77f9f26680ednd all the connection parameters (such as LDAP URIs and encryption
7e68fce3cbd2246164e045a51ecd77f9f26680ednd details) manually.
7e68fce3cbd2246164e045a51ecd77f9f26680ednd </refsect1>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
7e68fce3cbd2246164e045a51ecd77f9f26680ednd</refentry>
7e68fce3cbd2246164e045a51ecd77f9f26680ednd</reference>