From Fedora Project Wiki
(Initial version)
 
No edit summary
Line 24: Line 24:
== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
SSSD will add support for Group Policy Object (GPO) retrieval and processing, in order to provide centrally managed host-based access control in an Active Directory (AD) environment.
This change will enhance SSSD, by adding support for centrally managed host-based access control in an Active Directory (AD) environment, using Group Policy Objects (GPOs).


== Owner ==
== Owner ==
Line 58: Line 58:
== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
A common use case for managing computer-based access control in an AD environment is through the use of two specific GPO policy settings ("Allow Log On Locally", "Deny Log On Locally"), which essentially serve as a whitelist and blacklist of domain users/groups that are consulted to determine whether logon access to a particular domain computer should be granted. When dealing with GPOs, there is typically a management piece (used to *specify* the policy settings) and a client-side processing piece (used to *retrieve* and *enforce* the policy settings). Since the two policy settings of interest already exist in AD, administrators can continue to use existing mechanisms to specify the whitelist and blacklist (e.g. Group Policy Management Editor GUI). As such, this change is related only to the retrieval and enforcement of policy settings. This change only affects SSSD's AD provider. It has no effect on any other SSSD providers (e.g. IPA provider).The upstream design page that includes deeper technical details can be found in the [http://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration SSSD Trac ].
GPO policy settings are commonly used to manage host-based access control in an AD environment. The two specific GPO policy settings ("Allow Log On Locally" and "Deny Log On Locally") essentially serve as a whitelist and blacklist of domain users/groups that are consulted to determine whether logon access to a particular domain computer should be granted. When dealing with GPOs, there is typically a management piece (used to '''specify''' the policy settings) and a client-side processing piece (used to '''retrieve''' and '''enforce''' the policy settings). Since the two policy settings of interest already exist in AD, administrators can continue to use existing mechanisms to specify the whitelist and blacklist (e.g. Group Policy Management Console, or GPMC). As such, this change is related only to the retrieval and enforcement of policy settings. This change only affects SSSD's AD provider. It has no effect on any other SSSD providers (e.g. IPA provider).The upstream design page that includes deeper technical details can be found in the [http://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration SSSD Trac ].


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
Fedora currently defaults to using SSSD's AD provider for access control in an AD environment. Using GPO-based access control would allow Fedora computers to be seamlessly integrated into the GPO-based host-based access control model, with which Windows administrators are already familiar. Additionally, while the current implementation allows host-based access control to be configured locally on each machine, using GPO-based access control supports the central configuration and management of access control policy. This is an important component of Fedora's robust ability to integrate with AD environments, that has not previously been addressed.
Fedora currently defaults to using SSSD's AD provider for access control in an AD environment. Implementing this change would allow hosts running Fedora to be seamlessly integrated into the GPO-based access control model, with which Windows administrators are already familiar. Among other things, this model allows access control policy to be configured and managed in a centralized manner, something that SSSD's AD provider is not currently able to do. Implementing this change would enhance Fedora's ability to integrate with AD environments in a robust manner.


== Scope ==
== Scope ==
Line 80: Line 80:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
No changes should be required and no existing functionality should be lost. The semantics of the whitelist are that everyone is allowed access if no whitelist is specified. As such, a previous version of Fedora (which would be unaware of GPO-based access-control policy settings) should not be affected.
No changes should be required and no existing functionality should be lost.
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== How To Test ==
== How To Test ==
Line 100: Line 97:
-->
-->


How to test
In order to test this functionality, you must have access to an AD server. After performing setup tasks on both the test client and the AD server, you can test this change by determining whether the users/groups placed on the GPO whitelist/blacklist are being correctly granted/denied access.
 
In order to test this functionality, you must have access to an AD server. You need to perform some setup tasks on both the test client and the AD server, and then test if the users/groups placed on the GPO whitelist are being correctly granted access, and that the users/groups placed on the GPO blacklist are being correctly denied access.


Client Setup:
'''Test Client Setup:
* use realmd (or some other mechanism) to join the test client to the AD domain.
* use realmd (or some other mechanism) to join the test client to the AD domain.
* make a note of the DN of the computer object that is created on the AD server as a result of the join step (e.g. "cn=f21-client, ou=computers, dc=foo, dc=com").  
* make a note of the DN of the computer object that is created on the AD server as a result of the join step (e.g. "cn=f21-client, ou=computers, dc=foo, dc=com"). In order for a GPO to be applicable to the test client, it must be linked to an ou parent or dc parent of the test client's DN (or to the site associated with the test client).
* install the sssd package (if realmd hasn't already done so) and configure it to use "Active Directory" for all providers (e.g. id, auth, etc).
* install the sssd package and configure it to use "ad" for all providers (e.g. id, auth, access, etc).


AD Server Setup:
'''AD Server Setup:
* create some AD domain users and groups
* create some AD domain users and AD domain groups; a user can be managed directly (by being listed) or indirectly (by being a member of a listed group) on a whitelist or blacklist
* create a GPO (using GPMC); set the "Allow Logon Locally" policy setting to the users/groups for which you want access to be allowed; set the "Deny Logon Locally" policy setting to the users/groups for which you want access to be denied
* create a GPO (using GPMC); set the "Allow Logon Locally" policy setting to the users/groups for which you want access to be allowed; set the "Deny Logon Locally" policy setting to the users/groups for which you want access to be denied
* link this GPO (using GPMC) to a specific site, domain, or OU node (under which the client test machine resides in AD). For example, if the client test machine's DN is "cn=f21-client, ou=computers, dc=foo, dc=com", then the GPO needs can be linked either to "ou=computers, dc=foo, dc=com" or to "dc=foo, dc=com".
* link this GPO (using GPMC) to a specific site, domain, or OU node (under which the client test machine resides in AD). For example, if the client test machine's DN is "cn=f21-client, ou=computers, dc=foo, dc=com", then the GPO can be linked either to "ou=computers, dc=foo, dc=com" or to "dc=foo, dc=com".
 
Functionality Test
* test that the users/groups that you specified in the "Allow Logon Locally" policy settings are able to logon to the test client (you can use ssh instead of doing a full login: e.g. ssh allowed_user@FOO.COM@localhost).
* test that the users/groups that you specified in the "Deny Logon Locally" policy settings are not able to logon to the test client.
* unlink previous GPO; link GPO to specific site, domain, or OU node (under which the host computer *does not* reside in AD); test that all users/groups are able to log in to host (since the GPO no longer applies to this host)
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


'''Actual Test
* test that the users/groups that you specified in the "Allow Logon Locally" policy settings are able to logon to the test client (you can use ssh instead of doing a full login: e.g. "ssh allowed_user@FOO.COM@localhost").
* test that the users/groups that you specified in the "Deny Logon Locally" policy settings are '''not''' able to logon to the test client.
* if a user is both allowed and denied, make sure that deny takes precedence
* unlink GPO from node and test that all users/groups are able to login to host (since the GPO no longer applies to this host)
* create and link multiple gpos (with conflicting whitelists and blacklists) to various nodes in the hierarchy; OU-linked GPOs should override domain-linked GPOs, which should override site-linked GPOs
== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
Line 129: Line 122:
== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
 
This change depends on a new version of libini_config to be released, which should include functionality (already mostly implemented) needed for parsing policy settings data retrieved in the INI/INF format.
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)  


== Contingency Plan ==
== Contingency Plan ==
Line 144: Line 135:
== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->

Revision as of 21:25, 31 March 2014


SSSD GPO-Based Access Control

Summary

This change will enhance SSSD, by adding support for centrally managed host-based access control in an Active Directory (AD) environment, using Group Policy Objects (GPOs).

Owner

Current status

  • Targeted release: Fedora 21
  • Last updated: 2014-03-31
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

GPO policy settings are commonly used to manage host-based access control in an AD environment. The two specific GPO policy settings ("Allow Log On Locally" and "Deny Log On Locally") essentially serve as a whitelist and blacklist of domain users/groups that are consulted to determine whether logon access to a particular domain computer should be granted. When dealing with GPOs, there is typically a management piece (used to specify the policy settings) and a client-side processing piece (used to retrieve and enforce the policy settings). Since the two policy settings of interest already exist in AD, administrators can continue to use existing mechanisms to specify the whitelist and blacklist (e.g. Group Policy Management Console, or GPMC). As such, this change is related only to the retrieval and enforcement of policy settings. This change only affects SSSD's AD provider. It has no effect on any other SSSD providers (e.g. IPA provider).The upstream design page that includes deeper technical details can be found in the SSSD Trac .

Benefit to Fedora

Fedora currently defaults to using SSSD's AD provider for access control in an AD environment. Implementing this change would allow hosts running Fedora to be seamlessly integrated into the GPO-based access control model, with which Windows administrators are already familiar. Among other things, this model allows access control policy to be configured and managed in a centralized manner, something that SSSD's AD provider is not currently able to do. Implementing this change would enhance Fedora's ability to integrate with AD environments in a robust manner.

Scope

Since this functionality would only be used by SSSD's AD provider, it would be included as part of the sssd-ad package. This feature would be enabled by default, but a build switch would be provided for those who do not wish to deploy this functionality.

  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

No changes should be required and no existing functionality should be lost.

How To Test

In order to test this functionality, you must have access to an AD server. After performing setup tasks on both the test client and the AD server, you can test this change by determining whether the users/groups placed on the GPO whitelist/blacklist are being correctly granted/denied access.

Test Client Setup:

  • use realmd (or some other mechanism) to join the test client to the AD domain.
  • make a note of the DN of the computer object that is created on the AD server as a result of the join step (e.g. "cn=f21-client, ou=computers, dc=foo, dc=com"). In order for a GPO to be applicable to the test client, it must be linked to an ou parent or dc parent of the test client's DN (or to the site associated with the test client).
  • install the sssd package and configure it to use "ad" for all providers (e.g. id, auth, access, etc).

AD Server Setup:

  • create some AD domain users and AD domain groups; a user can be managed directly (by being listed) or indirectly (by being a member of a listed group) on a whitelist or blacklist
  • create a GPO (using GPMC); set the "Allow Logon Locally" policy setting to the users/groups for which you want access to be allowed; set the "Deny Logon Locally" policy setting to the users/groups for which you want access to be denied
  • link this GPO (using GPMC) to a specific site, domain, or OU node (under which the client test machine resides in AD). For example, if the client test machine's DN is "cn=f21-client, ou=computers, dc=foo, dc=com", then the GPO can be linked either to "ou=computers, dc=foo, dc=com" or to "dc=foo, dc=com".

Actual Test

  • test that the users/groups that you specified in the "Allow Logon Locally" policy settings are able to logon to the test client (you can use ssh instead of doing a full login: e.g. "ssh allowed_user@FOO.COM@localhost").
  • test that the users/groups that you specified in the "Deny Logon Locally" policy settings are not able to logon to the test client.
  • if a user is both allowed and denied, make sure that deny takes precedence
  • unlink GPO from node and test that all users/groups are able to login to host (since the GPO no longer applies to this host)
  • create and link multiple gpos (with conflicting whitelists and blacklists) to various nodes in the hierarchy; OU-linked GPOs should override domain-linked GPOs, which should override site-linked GPOs

User Experience

N/A (not a System Wide Change)

Dependencies

This change depends on a new version of libini_config to be released, which should include functionality (already mostly implemented) needed for parsing policy settings data retrieved in the INI/INF format.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product <-- Applicable for Changes that blocks specific product release/Fedora.next -->

Documentation

https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration

N/A (not a System Wide Change)

Release Notes