Hi everyone. So I am banging my head against the wall and need some help. What i try to achive is having a local posix group, which contains active directory users. Now i would like to use this posix group to allow the users to access the server with e.g. ssh. How do I setup this?
Normally I use the allow_simple_groups for my AD user group who can login, but hte documentation says that local groups are not evaluated.
I have tried with /etc/security/access.conf The OS I am using is Ubuntu 18.04
Is what I am trying to achive possible with sssd?
Please let me know if additional information is needed.
On Thu, Jun 13, 2019 at 11:36:53AM -0000, Mads Boye wrote:
Hi everyone. So I am banging my head against the wall and need some help. What i try to achive is having a local posix group, which contains active directory users. Now i would like to use this posix group to allow the users to access the server with e.g. ssh. How do I setup this?
Normally I use the allow_simple_groups for my AD user group who can login, but hte documentation says that local groups are not evaluated.
I have tried with /etc/security/access.conf The OS I am using is Ubuntu 18.04
If you care only about sshd, then AllowGroups in sshd_config might be a good option.
Otherwise pam_access and access.conf.. What did not work with access.conf? Did you also make sure that pam_access is present in the PAM stack?
Is what I am trying to achive possible with sssd?
Please let me know if additional information is needed. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi Jakub. Thank you for the reply. I still have no success.
Did try the AllowGroup in sshd_config but with no luck.
So I did a bit more investigation on pam_access and think that pam_access and pam_sss might be locking each other out.
So I will try to explain my setup. In sssd.conf we use the "simple_allow_groups" for access for users and admins. The config loooks like: /etc/sssd/sssd.conf: [sssd] services = nss, pam #debug_level = 9 config_file_version = 2 domains = example.dk default_domain_suffix = EXAMPLE.DK use_fully_qualified_names = TRUE
[autofs]
[nss] #debug_level = 9 reconnection_retries = 3
[pam] #debug_level = 9 reconnection_retries = 100 # allow PAM to cache user details for this long # this can improve login times # but it also delays AD changes from being seen pam_id_timeout = 600
[domain/example.dk] id_provider = ad #debug_level = 6 auth_provider = ad access_provider = simple ldap_id_mapping = False
simple_allow_groups = serveradmins@example.dk, hostaccess@example.dk chpass_provider = ad ad_gpo_access_control = disabled override_homedir = /user/%d/%u override_shell = /bin/bash dyndns_update = True dyndns_refresh_interval = 43200 dyndns_update_ptr = True auto_private_groups = True
With this ssh and /bin/login works for members of AD groups. Now i have created a local group and added ad users to this sudo addgroup example sudo usermod -a -G example aduser@example.dk
aduser@example.dk is not member of the simple_allow_groups groups. Now i haved enabled pam_access.so in both /etc/pam.d/login and sshd
login (I have removed all comments, for readability): # # The PAM configuration file for the Shadow `login' service # auth optional pam_faildelay.so delay=3000000 auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so account required pam_access.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard session optional pam_keyinit.so force revoke
@include common-account @include common-session @include common-password
sshd: # PAM configuration for the Secure Shell service @include common-auth account required pam_nologin.so account required pam_access.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password
When i dug into auth.log it seemed like sssd authenticated the users, but denied due to simple_allow_groups, so i changed access_provider = simple to access_provider = permit and restarted sssd.
Now all users are allowed to login if AD autenticates them. Now i added the following to /etc/security/access.conf + : (example) : ALL - : ALL except root my-mail@example.dk : ALL
restarted sshd and sssd just to be sure. Now i get the following error Jun 14 10:47:37 example01 sshd[89937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser@example.dk Jun 14 10:47:37 example01 sshd[89937]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser@example.dk Jun 14 10:47:37 example01 sshd[89937]: pam_access(sshd:account): access denied for user `aduser@example.dk' from `10.14.1.2' Jun 14 10:47:37 example01 sshd[89937]: Failed password for aduser@example.dk from 10.14.1.2 port 52944 ssh2 Jun 14 10:47:37 example01 sshd[89937]: fatal: Access denied for user aduser@example.dk by PAM account configuration [preauth]
If I change the "- : ALL except root my-mail@example.dk : ALL" to "- : ALL except root EXAMPLE\aduser my-mail@example.dk : ALL" the aduser@example is allowed to login.
I just tested it also works with + : EXAMPLE\aduser : ALL - : ALL except root my-mail@example.dk : ALL
So it seems like the group is not evaluated correctly? OS is Ubuntu 18.04.2 LTS
Best Regards, Mads.
On Fri, Jun 14, 2019 at 09:22:17AM -0000, Mads Boye wrote:
Hi Jakub. Thank you for the reply. I still have no success.
Did try the AllowGroup in sshd_config but with no luck.
So I did a bit more investigation on pam_access and think that pam_access and pam_sss might be locking each other out.
So I will try to explain my setup. In sssd.conf we use the "simple_allow_groups" for access for users and admins. The config loooks like: /etc/sssd/sssd.conf: [sssd] services = nss, pam #debug_level = 9 config_file_version = 2 domains = example.dk default_domain_suffix = EXAMPLE.DK use_fully_qualified_names = TRUE
[autofs]
[nss] #debug_level = 9 reconnection_retries = 3
[pam] #debug_level = 9 reconnection_retries = 100 # allow PAM to cache user details for this long # this can improve login times # but it also delays AD changes from being seen pam_id_timeout = 600
[domain/example.dk] id_provider = ad #debug_level = 6 auth_provider = ad access_provider = simple ldap_id_mapping = False
simple_allow_groups = serveradmins@example.dk, hostaccess@example.dk chpass_provider = ad ad_gpo_access_control = disabled override_homedir = /user/%d/%u override_shell = /bin/bash dyndns_update = True dyndns_refresh_interval = 43200 dyndns_update_ptr = True auto_private_groups = True
With this ssh and /bin/login works for members of AD groups. Now i have created a local group and added ad users to this sudo addgroup example sudo usermod -a -G example aduser@example.dk
aduser@example.dk is not member of the simple_allow_groups groups. Now i haved enabled pam_access.so in both /etc/pam.d/login and sshd
login (I have removed all comments, for readability): # # The PAM configuration file for the Shadow `login' service # auth optional pam_faildelay.so delay=3000000 auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so account required pam_access.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard session optional pam_keyinit.so force revoke
@include common-account @include common-session @include common-password
sshd: # PAM configuration for the Secure Shell service @include common-auth account required pam_nologin.so account required pam_access.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password
When i dug into auth.log it seemed like sssd authenticated the users, but denied due to simple_allow_groups, so i changed access_provider = simple to access_provider = permit and restarted sssd.
Now all users are allowed to login if AD autenticates them. Now i added the following to /etc/security/access.conf
- : (example) : ALL
- : ALL except root my-mail@example.dk : ALL
restarted sshd and sssd just to be sure. Now i get the following error Jun 14 10:47:37 example01 sshd[89937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser@example.dk Jun 14 10:47:37 example01 sshd[89937]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser@example.dk Jun 14 10:47:37 example01 sshd[89937]: pam_access(sshd:account): access denied for user `aduser@example.dk' from `10.14.1.2' Jun 14 10:47:37 example01 sshd[89937]: Failed password for aduser@example.dk from 10.14.1.2 port 52944 ssh2 Jun 14 10:47:37 example01 sshd[89937]: fatal: Access denied for user aduser@example.dk by PAM account configuration [preauth]
If I change the "- : ALL except root my-mail@example.dk : ALL" to "- : ALL except root EXAMPLE\aduser my-mail@example.dk : ALL" the aduser@example is allowed to login.
I just tested it also works with
- : EXAMPLE\aduser : ALL
- : ALL except root my-mail@example.dk : ALL
So it seems like the group is not evaluated correctly?
I guess.. when you have the access control disabled and log in with aduser@example and then run "id", does it show the group example?
maybe the 'debug' parameter of pam_access.so could help here..
OS is Ubuntu 18.04.2 LTS
Best Regards, Mads. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Mads Boye