Authenticating to either AD and KRB5/LDAP domains using separate domains and PAM stacks?
Hi All.
I’m trying to craft a configuration (on RHEL7, sssd-1.13.0-40.el7_2.12.x86_64) that will offer the following:
- authenticate a specific application (‘app’) via PAM/sssd to our AD directory (EXAMPLE.COM) - authenticate everything else (in particular, sshd) via PAM/sssd to our UNIX-based Kerberos/LDAP directory (UNIXAUTH.EXAMPLE.COM)
Note that users have the same username in both directories, but have different passwords and different group membership.
The config I’m using to achieve this is:
---------- [sssd] config_file_version = 2 services = nss, pam domains = example.com, unixauth.example.com
[nss] filter_groups = root filter_users = root default_shell = /bin/bash override_homedir = /home/%u
[pam]
[domain/example.com] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = permit cache_credentials = true ldap_idmap_range_size = 200000000 dyndns_update = false
ignore_group_members = true
debug_level = 7
[domain/unixauth.example.com] debug_level = 9
id_provider = ldap auth_provider = krb5 access_provider = ldap chpass_provider = none sudo_provider = none authfs_provider = none
dns_discovery_domain = unixauth.example.com lookup_family_order = ipv4_only
enumerate = true
ldap_uri = _srv_ ldap_default_bind_dn = cn=UNIX Manager,ou=admin,o=example ldap_default_authtok = XXXXXXXXXXXXXXX ldap_id_use_start_tls = true ldap_access_filter = (isMemberOf=cn=systems,ou=roles,o=example) ldap_user_search_base = ou=people,o=example?subtree?(|(isMemberOf=cn=systems,ou=roles,o=example)) ldap_group_search_base = ou=unix,o=example
ldap_schema = rfc2307 ldap_tls_reqcert = never ldap_tls_cacertfile = /etc/openldap/cacerts/unixauth-ca-bundle.crt
# Get all the settings from /etc/krb5.conf krb5_realm = UNIXAUTH.EXAMPLE.COM —————
In addition, I’m specifying:
- ‘pam_sss.so […] domains=example.com’ in /etc/pam.d/app - ‘pam_sss.so […] domains=unixauth.example.com’ in /etc/pam.d/system-auth
This configuration works to a point. The ‘app’ auth works correctly using AD credentials. However, although I can ssh-in to the host with my ‘unixauth.example.com’ credentials successfully as I want, my *group* membership is coming from AD (example.com) *instead of* LDAP (unixauth.example.com)!
Should it be possible to setup the configuration I describe? If so, are there some settings I’m missing to make this work?
Regards,
Robert.
On (05/12/16 17:24), Robert Sturrock wrote:
Hi All.
I’m trying to craft a configuration (on RHEL7, sssd-1.13.0-40.el7_2.12.x86_64) that will offer the following:
- authenticate a specific application (‘app’) via PAM/sssd to our AD directory (EXAMPLE.COM)
- authenticate everything else (in particular, sshd) via PAM/sssd to our UNIX-based Kerberos/LDAP directory (UNIXAUTH.EXAMPLE.COM)
Note that users have the same username in both directories, but have different passwords and different group membership.
The config I’m using to achieve this is:
[sssd] config_file_version = 2 services = nss, pam domains = example.com, unixauth.example.com
[nss] filter_groups = root filter_users = root default_shell = /bin/bash override_homedir = /home/%u
[pam]
[domain/example.com] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = permit cache_credentials = true ldap_idmap_range_size = 200000000 dyndns_update = false
ignore_group_members = true
debug_level = 7
[domain/unixauth.example.com] debug_level = 9
id_provider = ldap auth_provider = krb5 access_provider = ldap chpass_provider = none sudo_provider = none authfs_provider = none
dns_discovery_domain = unixauth.example.com lookup_family_order = ipv4_only
enumerate = true
ldap_uri = _srv_ ldap_default_bind_dn = cn=UNIX Manager,ou=admin,o=example ldap_default_authtok = XXXXXXXXXXXXXXX ldap_id_use_start_tls = true ldap_access_filter = (isMemberOf=cn=systems,ou=roles,o=example) ldap_user_search_base = ou=people,o=example?subtree?(|(isMemberOf=cn=systems,ou=roles,o=example)) ldap_group_search_base = ou=unix,o=example
ldap_schema = rfc2307 ldap_tls_reqcert = never ldap_tls_cacertfile = /etc/openldap/cacerts/unixauth-ca-bundle.crt
# Get all the settings from /etc/krb5.conf krb5_realm = UNIXAUTH.EXAMPLE.COM —————
In addition, I’m specifying:
- ‘pam_sss.so […] domains=example.com’ in /etc/pam.d/app
- ‘pam_sss.so […] domains=unixauth.example.com’ in /etc/pam.d/system-auth
This configuration works to a point. The ‘app’ auth works correctly using AD credentials. However, although I can ssh-in to the host with my ‘unixauth.example.com’ credentials successfully as I want, my *group* membership is coming from AD (example.com) *instead of* LDAP (unixauth.example.com)!
Should it be possible to setup the configuration I describe? If so, are there some settings I’m missing to make this work?
pam_sss.so can limit authentication using specified domains. However, pam stack need to map username to UID(getpwnam) and also find out group membership (initgrooups). Unfortunatelly, nss interface cannot limit request just to the specific sssd domain. man sssd.conf -> use_fully_qualified_names
The solution might be: a) both domains should nove have any intersection of users/groups b) enable fully qualified names in 2nd domain. So sssd will be able to parse fully qualified name and use right domain for getpwnam and initgroups.
LS
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
Robert Sturrock