SUSE Support

Here When You Need Us

Limit access of Active Directory users with sssd

This document (7024238) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 15 Service Pack 1 (SLES 15 SP1)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 Service Pack 4 (SLES 12 SP4)

Situation

In a large Active Directory environment, it may be necessary to limit certain AD users from accessing certain Linux systems. If Linux's authentication against the AD is handled with sssd, there is a simple solution to configure the access with sssd.

Resolution

This is a simple example configuration done via YaST :

[sssd]
config_file_version = 2
services = nss,pam
domains = intern.priv

[nss]

[pam]

[domain/intern.priv]
id_provider = ad
auth_provider = ad
enumerate = false
cache_credentials = false
case_sensitive = true
ad_server = w2019.intern.priv
ad_hostname = sles15sp11.intern.priv

In this example, we want members of the "Domain Admins" group to be able to login to the system.  All other users from the Active Directory domain should have no access.
 
The domain name is "INTERN.PRIV" .

Add the following lines to the Domain section:

simple_allow_groups = Domain Admins@INTERN.PRIV
access_provider = simple

and restart the sssd daemon:

systemctl restart sssd

Check whether the configuration is working:

e.g. as member of the "Domain Users" group:

helga:~ # ssh INTERN.PRIV\\hmabuse@sles15sp11
Password:
Connection closed by 10.0.0.151 port 22

and as a member of the "Domain Admins" group:

helga:~ # ssh INTERN.PRIV\\Administrator@sles15sp11
Password:
Last login: Tue Nov  5 12:08:08 2019 from 10.0.0.3
administrator@sles15sp11:/home/intern.priv/administrator>

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7024238
  • Creation Date: 05-Nov-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center