Configure SSSD to respect Active Directory SSH or Console/GUI GPOs

Environment

• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 7
• Red Hat Enterprise Linux 8
• Microsoft Windows 2012 Active Directory
  Disclaimer: While Red Hat may sometimes provide steps for third party applications, we do not provide direct troubleshooting to those applications.

Issue

• How do I configure a GPO in AD for SSH access to RHEL?
• Is it possible for SSSD to respect Active Directory SSH or Console GPOs?
• SSSD is not disallowing user logins to Gnome, KDE or SSH per AD GPOs.

Resolution

• NOTE: SMB1 must be enabled in Active Directory for RHEL6 SSSD GPO processing

1. Configure RHEL for Active Directory credential authentication through SSSD based off of one of the following articles:

   • RHEL 6/7 using net commands: <https://access.redhat.com/solutions/1755013>
   • RHEL 7 using RealmD: <https://access.redhat.com/solutions/1350723>

2. On the RHEL 6/7 system within the /etc/sssd/sssd.conf configuration file, add the following lines under the [domain] section:

   access_provider = ad
   ad_gpo_access_control = enforcing
   

   In RHEL 8, the default value for ad_gpo_access_control is already enforcing.

3. Restart SSSD:

   # service sssd restart
   

4. Within Active Directory Users and Computers, create an OU that the new GPO will be applied to (ExampleOU).

    - Right Click on the Domain -> New -> Organizational Unit
   

5. Move the Computer Object that was created when the RHEL machine joined Active Directory into the new OU.

6. Within the Group Policy Management Editor, create a new GPO for the OU you created.

    - Expand Forest, Domains, YourDomain -> Right Click on the new OU -> Create a GPO in this domain, and Link it here...
   

7. Choose a name for the new GPO, such as "Allow SSH" or "Allow Console/GUI" and click OK.

8. Select the OU within the Group Policy Management editor and then Right Click on and Edit the newly created GPO.

9. Browse to User Rights Assignment.

    - Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
   

10. Double Click on either "Allow log on locally" for Console/GUI (local access) or "Allow log on through Remote Desktop Services" (ssh access).

11. Add the user(s) you would like to access either of these policies to the policies themselves.

- Click "Add User or Group".
- Type the username within the blank field.
- Click OK.

Root Cause

• Need to limit the access to a RHEL machine that was joined to Active Directory.

Diagnostic Steps

• Changes within AD to the created GPO will take place immediately and do not require RHEL to "cache" the rules. SSSD on the RHEL machine will query for GPOs during each user authentication attempt.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.