AD GPO: Change default to "enforcing"

When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments. However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Stephen Gallagher <sgallagh@redhat.com> 2015-04-20 10:51:04 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-05-28 11:13:20 +0200
commit: 772464c842968d6e544118ae1aa7c49a7cda2ad6 (patch)
tree: 3aa8f4c12f6053d51029c561f0c66a1b11778f70 /src
parent: 31bafc0d6384a30859aa18f3bd22275aec6ee2ed (diff)
4 files changed, 34 insertions, 3 deletions
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 86876fab..0ed1694c 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -792,3 +792,25 @@ AC_DEFUN([WITH_SSSD_USER],
     AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"])
     AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x])
   ])
+
+  AC_DEFUN([WITH_AD_GPO_DEFAULT],
+    [ AC_ARG_WITH([ad-gpo-default],
+                  [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],
+                                  [Default enforcing level for AD GPO access-control (enforcing)]
+                                 )
+                  ]
+                 )
+      GPO_DEFAULT=enforcing
+
+      if test x"$with_ad_gpo_default" != x; then
+          if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then
+              AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive")
+          else
+              GPO_DEFAULT=$with_ad_gpo_default
+          fi
+      fi
+
+      AC_SUBST(GPO_DEFAULT)
+      AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"])
+      AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing])
+  ])
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 6a1cf7dc..1ef1da48 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -24,7 +24,12 @@ endif
 if BUILD_IFP
 IFP_CONDS = ;with_ifp
 endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)
+if GPO_DEFAULT_ENFORCING
+GPO_CONDS = ;gpo_default_enforcing
+else
+GPO_CONDS = ;gpo_default_permissive
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)
 
 
 #Special Rules:
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 55c7a404..938a443e 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -324,9 +324,12 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
                                 </listitem>
                             </itemizedlist>
                         </para>
-                        <para>
+                        <para condition="gpo_default_permissive">
                             Default: permissive
                         </para>
+                        <para condition="gpo_default_enforcing">
+                            Default: enforcing
+                        </para>
                     </listitem>
                 </varlistentry>
 
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 6e859447..0f03d338 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -27,6 +27,7 @@
 #include "db/sysdb_services.h"
 #include "db/sysdb_autofs.h"
 #include "providers/ldap/ldap_common.h"
+#include "config.h"
 
 struct dp_option ad_basic_opts[] = {
     { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -38,7 +39,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-    { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING },
+    { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
author	Stephen Gallagher <sgallagh@redhat.com>	2015-04-20 10:51:04 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-05-28 11:13:20 +0200
commit	772464c842968d6e544118ae1aa7c49a7cda2ad6 (patch)
tree	3aa8f4c12f6053d51029c561f0c66a1b11778f70 /src
parent	31bafc0d6384a30859aa18f3bd22275aec6ee2ed (diff)