We are trying out ActiveDirectory integration on some linux systems with SSSD.
So far so good we joined the linux systems to the domain and we can log into linux systems with AD-defined users. Right now every AD user can log into every Linux system which has been integrated with SSSD.
How can I let user Foo log into LinuxServer01 but prevent him to log into LinuxServer02? And/or how can I block a user to log into every linux systems and just let him on some specific ones?
I would recommend against using the filter based access control filters for most deployments for two reasons:
memberofattribute while the user is a member of nested groups - since the user entry only contains memberofs to direct parents, the nested groups would never match.For very simple use cases, such as allowing a user or a group of users, I would recommend to use the simple access provider
For complex use-cases, SSSD supports AD GPOs starting with the 1.12.x series, search the sssd-ad man page for details.
After doing some more RTFM I found the details in sssd-ad(5) - I must have missed them the first time:
access_providerispermit, so every user that can authenticate is given permission to login to the system. This is explained in sssd.conf(5).access_provider = adad_access_filteras detailed in sssd-ad(5) to define a filter for users that can login(but I still don't know if there's any way to specify systems one by one on the AD side for a user to allow login)
In your sssd.conf configuration file, you can modify the access filter to meet your needs:
Under the
domain/defaultsection, try the following: