diff --git a/roles/sssd_ad_auth/defaults/main.yml b/roles/sssd_ad_auth/defaults/main.yml index 697c9ec..a3f8274 100644 --- a/roles/sssd_ad_auth/defaults/main.yml +++ b/roles/sssd_ad_auth/defaults/main.yml @@ -8,6 +8,8 @@ ad_computer_ou: ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))" ad_enumerate: True ad_default_shell: /bin/false +# If access control should evaluate domain GPO. Can be disabled, eforcing or permissive. See man sssd-ad +ad_gpo_access_control: permissive # sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}" diff --git a/roles/sssd_ad_auth/templates/sssd.conf.j2 b/roles/sssd_ad_auth/templates/sssd.conf.j2 index 0e6f26b..ecf8a09 100644 --- a/roles/sssd_ad_auth/templates/sssd.conf.j2 +++ b/roles/sssd_ad_auth/templates/sssd.conf.j2 @@ -32,6 +32,7 @@ ad_maximum_machine_account_password_age = 0 {% if ad_enumerate %} enumerate = true {% endif %} +ad_gpo_access_control = {{ ad_gpo_access_control }} {% for domain in ad_trusted_domains %} @@ -55,4 +56,5 @@ ldap_user_search_base = {{ domain.ldap_user_search_base }} {% if domain.ldap_group_search_base is defined and domain.ldap_group_search_base %} ldap_group_search_base = {{ domain.ldap_group_search_base }} {% endif %} +ad_gpo_access_control = {{ domain.ad_gpo_access_control | default(ad_gpo_access_control) }} {% endfor %} diff --git a/roles/timers/defaults/main.yml b/roles/timers/defaults/main.yml index e286eaf..52fd93d 100644 --- a/roles/timers/defaults/main.yml +++ b/roles/timers/defaults/main.yml @@ -11,7 +11,7 @@ system_timer_defaults: persistent: False enabled: True user: root - max_duration: infinity + max_duration: 0 # Define systemd timers # system_timers: