Update to 2020-12-08 13:00

3 years ago · 516d4ee6be
parent d05125afc1
commit 516d4ee6be
3 changed files with 5 additions and 1 deletions
--- a/roles/sssd_ad_auth/defaults/main.yml
+++ b/roles/sssd_ad_auth/defaults/main.yml
@ -8,6 +8,8 @@ ad_computer_ou:
 ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))"
 ad_enumerate: True
 ad_default_shell: /bin/false
+# If access control should evaluate domain GPO. Can be disabled, eforcing or permissive. See man sssd-ad
+ad_gpo_access_control: permissive

 # sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains
 ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}"
--- a/roles/sssd_ad_auth/templates/sssd.conf.j2
+++ b/roles/sssd_ad_auth/templates/sssd.conf.j2
@ -32,6 +32,7 @@ ad_maximum_machine_account_password_age = 0
 {% if ad_enumerate %}
 enumerate = true
 {% endif %}
+ad_gpo_access_control = {{ ad_gpo_access_control }}

 {% for domain in ad_trusted_domains %}

@ -55,4 +56,5 @@ ldap_user_search_base = {{ domain.ldap_user_search_base }}
 {% if domain.ldap_group_search_base is defined and domain.ldap_group_search_base %}
 ldap_group_search_base = {{ domain.ldap_group_search_base }}
 {% endif %}
+ad_gpo_access_control = {{ domain.ad_gpo_access_control | default(ad_gpo_access_control) }}
 {% endfor %}
--- a/roles/timers/defaults/main.yml
+++ b/roles/timers/defaults/main.yml
@ -11,7 +11,7 @@ system_timer_defaults:
  persistent: False
  enabled: True
  user: root
-  max_duration: infinity
+  max_duration: 0

 # Define systemd timers
 # system_timers: