I am working on replacing our Centrify installations with SSSD. I have it working but I can't figure out how to deny all 'domain users' and only allow specific AD groups to SSH into the system. With Centrify there is a GUI console and you can just set this. I have been reading about the simple provider and then use simple_allow_groups and simpe_deny_groups but this doesn't appear to be working. https://www.systutorials.com/docs/linux/man/5-sssd-simple/
I have this at the bottom part of my sssd.conf
In my domain section:
cache_credentials = true
id_provider = ad
auth_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%u
use_fully_qualified_names = false
ignore_group_members = true
access_provider = simple
simple_deny_groups = 'domain users'
simple_allow_groups = servername-ad-group
I then was going to try using the sshd_config but didn't know about that. Just trying to use SSSD for AD authentication and deny everyone and explicitly define who can SSH into the server. These are all Oracle Linux 7.6 with 4.14.35-1844.2.5.el7uek.x86_64 kernel no GUI's installed, minimal installations.
Good thoughts on how I can accomplish this?