AD GPO: Change default to "enforcing"

When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments. However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Stephen Gallagher <sgallagh@redhat.com> 2015-04-20 10:51:04 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-05-28 11:13:20 +0200
commit: 772464c842968d6e544118ae1aa7c49a7cda2ad6 (patch)
tree: 3aa8f4c12f6053d51029c561f0c66a1b11778f70
parent: 31bafc0d6384a30859aa18f3bd22275aec6ee2ed (diff)
download: sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.tar.gz
sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.tar.xz
sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.zip
5 files changed, 35 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac
index 1f9c6f867..8d57c664b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,7 @@ WITH_CIFS_PLUGIN_PATH
 WITH_SELINUX
 WITH_NSCD
 WITH_SEMANAGE
+WITH_AD_GPO_DEFAULT
 WITH_GPO_CACHE_PATH
 WITH_NOLOGIN_SHELL
 WITH_APP_LIBS
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 86876fab8..0ed1694cb 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -792,3 +792,25 @@ AC_DEFUN([WITH_SSSD_USER],
     AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"])
     AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x])
   ])
+
+  AC_DEFUN([WITH_AD_GPO_DEFAULT],
+    [ AC_ARG_WITH([ad-gpo-default],
+                  [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],
+                                  [Default enforcing level for AD GPO access-control (enforcing)]
+                                 )
+                  ]
+                 )
+      GPO_DEFAULT=enforcing
+
+      if test x"$with_ad_gpo_default" != x; then
+          if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then
+              AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive")
+          else
+              GPO_DEFAULT=$with_ad_gpo_default
+          fi
+      fi
+
+      AC_SUBST(GPO_DEFAULT)
+      AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"])
+      AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing])
+  ])
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 6a1cf7dce..1ef1da48c 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -24,7 +24,12 @@ endif
 if BUILD_IFP
 IFP_CONDS = ;with_ifp
 endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)
+if GPO_DEFAULT_ENFORCING
+GPO_CONDS = ;gpo_default_enforcing
+else
+GPO_CONDS = ;gpo_default_permissive
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)
 
 
 #Special Rules:
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 55c7a4045..938a443e0 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -324,9 +324,12 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
                                 </listitem>
                             </itemizedlist>
                         </para>
-                        <para>
+                        <para condition="gpo_default_permissive">
                             Default: permissive
                         </para>
+                        <para condition="gpo_default_enforcing">
+                            Default: enforcing
+                        </para>
                     </listitem>
                 </varlistentry>
 
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 6e859447f..0f03d3383 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -27,6 +27,7 @@
 #include "db/sysdb_services.h"
 #include "db/sysdb_autofs.h"
 #include "providers/ldap/ldap_common.h"
+#include "config.h"
 
 struct dp_option ad_basic_opts[] = {
     { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -38,7 +39,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-    { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING },
+    { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
author	Stephen Gallagher <sgallagh@redhat.com>	2015-04-20 10:51:04 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-05-28 11:13:20 +0200
commit	772464c842968d6e544118ae1aa7c49a7cda2ad6 (patch)
tree	3aa8f4c12f6053d51029c561f0c66a1b11778f70
parent	31bafc0d6384a30859aa18f3bd22275aec6ee2ed (diff)
download	sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.tar.gz sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.tar.xz sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.zip