-
Notifications
You must be signed in to change notification settings - Fork 0
/
10-pam-access.Rmd
162 lines (123 loc) · 7.02 KB
/
10-pam-access.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# PAM Access Policies {#pamaccess}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("pam-access-images/access.png")
```
\index{Policies!PAM Access}
PAM Access Policy allows you to set host access rules for client machines. Specifically, it specifies rules in `/etc/security/access.d` to allow or deny access to the host.
This policy is physically stored on the SYSVOL in two files, \linebreak MACHINE/VGP/VTLA/VAS/HostAccessControl/Allow/manifest.xml \linebreak and MACHINE/VGP/VTLA/VAS/HostAccessControl/Deny/manifest.xml. \linebreak The manifest.xml files are in xml format, and are easily modified manually using a text editor.
## Server Side Extension
The Server Side Extensions (SSE) for PAM Access Policies is administered using the `samba-tool gpo manage access` command. This SSE cannot be modified using the GPME.
\index{Server Side Extensions}
### Managing PAM Access Policies via samba-tool
The `samba-tool gpo manage access` command has 3 subcommands; add, list, and remove.
```
> samba-tool gpo manage access
Usage: samba-tool gpo manage access <subcommand>
Manage Host Access Group Policy Objects
Options:
-h, --help show this help message and exit
Available subcommands:
add - Adds a VGP Host Access Group Policy to the sysvol
list - List VGP Host Access Group Policy from the sysvol
remove - Remove a VGP Host Access Group Policy from the sysvol
```
To use the `samba-tool gpo manage access add` command, you need to provide the name of the GPO as the first argument, followed by the access setting (either "allow" or "deny"), the common name (cn) of the host or user you want to allow or deny access to, and the domain of the host or user. For example:
```sh
samba-tool gpo manage access add <gpo> <allow/deny> <cn> <domain>
```
Any time an allow entry is detected by the client, an implicit deny
ALL will be assumed.
Let's add a few rules that restricts access to a couple of specific users.
```
> samba-tool gpo manage access add \
{31B2F340-016D-11D2-945F-00C04FB984F9} allow Administrator \
lizardo.suse.de -UAdministrator
> samba-tool gpo manage access add \
{31B2F340-016D-11D2-945F-00C04FB984F9} allow tux \
lizardo.suse.de -UAdministrator
```
These grant access to the users `tux` and `Administrator` on the host. If we list our access policies, we can see they are ready for delivery to the client.
```
> samba-tool gpo manage access list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
+:lizardo.suse.de\Administrator:ALL
+:lizardo.suse.de\tux:ALL
```
## Client Side Extension
The PAM Access Client Side Extension (CSE) will create a new file in the `/etc/security/access.d` directory for each host access rule.
The PAM module `pam_access` must be configured or this CSE will do nothing (see `man pam_access`). This can be configured using the command `pam-config --add --access`. It may be beneficial to ensure this is enabled by enforcing a Script policy which executes `pam-config --add --access` (see chapter \@ref(scripts) on how to schedule a script policy).
\index{Client Side Extensions}
Let’s list the Resultant Set of Policy to view the policies we've created for our host access control.
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_scripts_ext
-----------------------------------------------------------
Policy Type: Hourly Scripts
-----------------------------------------------------------
[ pam-config --add --access ]
-----------------------------------------------------------
-----------------------------------------------------------
CSE: vgp_access_ext
-----------------------------------------------------------
Policy Type: VGP/Unix Settings/Host Access
-----------------------------------------------------------
[ +:Administrator\lizardo.suse.de:ALL ]
[ +:tux\lizardo.suse.de:ALL ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
Our PAM Access policy and our `pam-config` check are both listed.
\index{Resultant Set of Policy}
Let's now force an apply.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='Unix Settings/Scripts' or
@name='VGP/Unix Settings/Host
Access']" - \
| xmllint --format -
<gp_ext name="Unix Settings/Scripts">
<attribute name="Software\\Policies\\Samba\\Unix Settings\\
Daily Scripts:ZWNobyBoZWxsbyB3b3JsZA==">
/etc/cron.daily/gp_pawtjsiq
</attribute>
</gp_ext>
<gp_ext name="VGP/Unix Settings/Host Access">
<attribute name="6bf0...fb9c">
/etc/security/access.d/9000000001_gp_DENY_ALL.conf:
/etc/security/access.d/0000000001_gp.conf
</attribute>
</gp_ext>
```
Notice that the PAM Access policy generated 2 different files, \linebreak `/etc/security/access.d/0000000001_gp.conf` \linebreak and `/etc/security/access.d/9000000001_gp_DENY_ALL.conf`. Let's check the contents of these files to see what was generated.
\index{Group Policy Cache}
```
> cat /etc/security/access.d/0000000001_gp.conf; echo
### autogenerated by samba
#
# This file is generated by the vgp_access_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
+:lizardo.suse.de\Administrator:ALL
+:lizardo.suse.de\tux:ALL
> cat /etc/security/access.d/9000000001_gp_DENY_ALL.conf; echo
### autogenerated by samba
#
# This file is generated by the vgp_access_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
-:ALL:ALL
```
The PAM Access CSE automatically added a deny all entry. The pam\_access pam module reads host access rules in numerical order from the `/etc/security/access.d` directory. This automatic deny all entry was intentionally placed numerically after our allow entries (9000000001 > 0000000001), to ensure the allow entries are processed first.
You should notice at this point that it would be senseless to intermix allow and deny rules. Any time an allow rule is applied to a client, *deny all else* is implicitly assumed. It doesn't hurt to have extra deny rules, but they would be pointless. When only deny rules are set in the policy, then *allow all else* is implicitly assumed (which is the pam default, and no extra rules are added).
You can safely stack group policies which contain different allow rules, since the *deny all else* entries will always be placed in a range above the host access rules. You will see multiple *deny all else* entries generated, and this is intentional. This ensures there is always a *deny all else* entry associated with any allow rules which are applied.