On Fri, Jun 14, 2019 at 09:22:17AM -0000, Mads Boye wrote:
Hi Jakub. Thank you for the reply. I still have no success.
Did try the AllowGroup in sshd_config but with no luck.
So I did a bit more investigation on pam_access and think that pam_access and pam_sss might be locking each other out.
So I will try to explain my setup. In sssd.conf we use the "simple_allow_groups" for access for users and admins. The config loooks like: /etc/sssd/sssd.conf: [sssd] services = nss, pam #debug_level = 9 config_file_version = 2 domains = example.dk default_domain_suffix = EXAMPLE.DK use_fully_qualified_names = TRUE
[autofs]
[nss] #debug_level = 9 reconnection_retries = 3
[pam] #debug_level = 9 reconnection_retries = 100 # allow PAM to cache user details for this long # this can improve login times # but it also delays AD changes from being seen pam_id_timeout = 600
[domain/example.dk] id_provider = ad #debug_level = 6 auth_provider = ad access_provider = simple ldap_id_mapping = False
simple_allow_groups = serveradmins@example.dk, hostaccess@example.dk chpass_provider = ad ad_gpo_access_control = disabled override_homedir = /user/%d/%u override_shell = /bin/bash dyndns_update = True dyndns_refresh_interval = 43200 dyndns_update_ptr = True auto_private_groups = True
With this ssh and /bin/login works for members of AD groups. Now i have created a local group and added ad users to this sudo addgroup example sudo usermod -a -G example aduser@example.dk
aduser@example.dk is not member of the simple_allow_groups groups. Now i haved enabled pam_access.so in both /etc/pam.d/login and sshd
login (I have removed all comments, for readability): # # The PAM configuration file for the Shadow `login' service # auth optional pam_faildelay.so delay=3000000 auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so account required pam_access.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard session optional pam_keyinit.so force revoke
@include common-account @include common-session @include common-password
sshd: # PAM configuration for the Secure Shell service @include common-auth account required pam_nologin.so account required pam_access.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password
When i dug into auth.log it seemed like sssd authenticated the users, but denied due to simple_allow_groups, so i changed access_provider = simple to access_provider = permit and restarted sssd.
Now all users are allowed to login if AD autenticates them. Now i added the following to /etc/security/access.conf
- : (example) : ALL
- : ALL except root my-mail@example.dk : ALL
restarted sshd and sssd just to be sure. Now i get the following error Jun 14 10:47:37 example01 sshd[89937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser@example.dk Jun 14 10:47:37 example01 sshd[89937]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser@example.dk Jun 14 10:47:37 example01 sshd[89937]: pam_access(sshd:account): access denied for user `aduser@example.dk' from `10.14.1.2' Jun 14 10:47:37 example01 sshd[89937]: Failed password for aduser@example.dk from 10.14.1.2 port 52944 ssh2 Jun 14 10:47:37 example01 sshd[89937]: fatal: Access denied for user aduser@example.dk by PAM account configuration [preauth]
If I change the "- : ALL except root my-mail@example.dk : ALL" to "- : ALL except root EXAMPLE\aduser my-mail@example.dk : ALL" the aduser@example is allowed to login.
I just tested it also works with
- : EXAMPLE\aduser : ALL
- : ALL except root my-mail@example.dk : ALL
So it seems like the group is not evaluated correctly?
I guess.. when you have the access control disabled and log in with aduser@example and then run "id", does it show the group example?
maybe the 'debug' parameter of pam_access.so could help here..
OS is Ubuntu 18.04.2 LTS
Best Regards, Mads. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...