Hello,
I have a strange problem using new "id_provider = ad" and "ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com" option. The problem is that I always can log on to the system no matter the user is member of the ldap_filter group or not. I want to filter out all domain users except those that are member of special group named "Linux Admins". Please help me to resolve this issue. In the attachment there are sssd logs.
Here are some technical info:
Active Directory 2008 R2 CentOS 6.4
[root@testlinux ~]# uname -a Linux testlinux 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@testlinux ~]# sssd --version 1.9.2
[root@testlinux ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac
[realms] EXAMPLE.COM = { }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
[root@testlinux ~]# cat /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = *
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
Best regards, Vladimir Akhmarov
On Thu, Aug 08, 2013 at 12:45:31PM +0400, Vladimir Akhmarov wrote:
Hello,
I have a strange problem using new "id_provider = ad" and "ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com" option. The problem is that I always can log on to the system no matter the user is member of the ldap_filter group or not. I want to filter out all domain users except those that are member of special group named "Linux Admins". Please help me to resolve this issue. In the attachment there are sssd logs.
Here are some technical info:
Active Directory 2008 R2 CentOS 6.4
[root@testlinux ~]# uname -a Linux testlinux 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@testlinux ~]# sssd --version 1.9.2
[root@testlinux ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac
[realms] EXAMPLE.COM = { }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
[root@testlinux ~]# cat /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = *
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
Hi Vladimir,
can you try if setting these in the domain section would make the setup work for you?
access_provider = ldap ldap_access_order = filter, expire ldap_account_expire_policy = ad access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = SHORTNAME$@REALM
you can see what the proper SHORTNAME$@REALM is for your setup from the output of "klist -k".
I'm sorry this is not documented better in 6.4. We improved the documentation somewhat in later releases and will work on make the setup work better out of the box as part of https://fedorahosted.org/sssd/ticket/1975
Hi, Jakub
Thanks for your reply. I have changed domain section according to your words. No success. Now I cannot even log on to the system via SSH.
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ldap ldap_access_order = filter, expire ldap_account_expire_policy = ad access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = TESTLINUX$@EXAMPLE.COM auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
[root@testlinux ~]# ssh domainuser@127.0.0.1 domainuser@127.0.0.1's password: Connection closed by 127.0.0.1
And again log files are attached
Best regards, Vladimir Akhmarov
On 08.08.2013, at 13:41, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, Aug 08, 2013 at 12:45:31PM +0400, Vladimir Akhmarov wrote:
Hello,
I have a strange problem using new "id_provider = ad" and "ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com" option. The problem is that I always can log on to the system no matter the user is member of the ldap_filter group or not. I want to filter out all domain users except those that are member of special group named "Linux Admins". Please help me to resolve this issue. In the attachment there are sssd logs.
Here are some technical info:
Active Directory 2008 R2 CentOS 6.4
[root@testlinux ~]# uname -a Linux testlinux 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@testlinux ~]# sssd --version 1.9.2
[root@testlinux ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac
[realms] EXAMPLE.COM = { }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
[root@testlinux ~]# cat /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = *
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
Hi Vladimir,
can you try if setting these in the domain section would make the setup work for you?
access_provider = ldap ldap_access_order = filter, expire ldap_account_expire_policy = ad access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = SHORTNAME$@REALM
you can see what the proper SHORTNAME$@REALM is for your setup from the output of "klist -k".
I'm sorry this is not documented better in 6.4. We improved the documentation somewhat in later releases and will work on make the setup work better out of the box as part of https://fedorahosted.org/sssd/ticket/1975 _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Aug 08, 2013 at 05:02:42PM +0400, Vladimir Akhmarov wrote:
Hi, Jakub
Thanks for your reply. I have changed domain section according to your words. No success. Now I cannot even log on to the system via SSH.
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ldap ldap_access_order = filter, expire ldap_account_expire_policy = ad access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = TESTLINUX$@EXAMPLE.COM auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
[root@testlinux ~]# ssh domainuser@127.0.0.1 domainuser@127.0.0.1's password: Connection closed by 127.0.0.1
And again log files are attached
Best regards, Vladimir Akhmarov
On 08.08.2013, at 13:41, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, Aug 08, 2013 at 12:45:31PM +0400, Vladimir Akhmarov wrote:
Hello,
I have a strange problem using new "id_provider = ad" and "ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com" option. The problem is that I always can log on to the system no matter the user is member of the ldap_filter group or not. I want to filter out all domain users except those that are member of special group named "Linux Admins". Please help me to resolve this issue. In the attachment there are sssd logs.
Here are some technical info:
Active Directory 2008 R2 CentOS 6.4
[root@testlinux ~]# uname -a Linux testlinux 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@testlinux ~]# sssd --version 1.9.2
[root@testlinux ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac
[realms] EXAMPLE.COM = { }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
[root@testlinux ~]# cat /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = *
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
Are you sure the user you are logging in as is a member of Linux Admins?
Can you send another round of logs this time with debug_level = 7 ?
Hi, Will
I have already double checked and yes you are right. My mistake, not "ldap_filter" just "ldap_access_filter" was right. I have checked my first config with "id_provider = ad" with no luck. So GSSAPI + access_provider = ldap are the necessary parts of my config. Now everything is working as expected. Thank you, Jakub, Will.
Here are the working solution:
[sssd] config_file_version = 2 domains = example.com services = nss, pam
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u
[domain/msk.i-teco.ru] access_provider = ldap auth_provider = ad chpass_provider = ad id_provider = ad ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_sasl_mech = GSSAPI ldap_sasl_authid = TESTLINUX$@EXAMPLE.COM ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_access_filter = memberOf=CN=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false
Best regards, Vladimir Akhmarov
On 08.08.2013, at 19:32, Will_Darton@navyfederal.org wrote:
Shouldn't that be ldap_access_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com /* ----------------------------- Will Darton
sssd-users-bounces@lists.fedorahosted.org wrote on 08/08/2013 10:24:59 AM:
From: Jakub Hrozek jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org, Date: 08/08/2013 10:25 AM Subject: Re: [SSSD-users] id_provider ad and ldap_filter issue Sent by: sssd-users-bounces@lists.fedorahosted.org
On Thu, Aug 08, 2013 at 05:02:42PM +0400, Vladimir Akhmarov wrote:
Hi, Jakub
Thanks for your reply. I have changed domain section according to
your words. No success. Now I cannot even log on to the system via SSH.
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ldap ldap_access_order = filter, expire ldap_account_expire_policy = ad access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = TESTLINUX$@EXAMPLE.COM auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com cache_credentials = false debug_level = 0x2000
[root@testlinux ~]# ssh domainuser@127.0.0.1 domainuser@127.0.0.1's password: Connection closed by 127.0.0.1
And again log files are attached
Best regards, Vladimir Akhmarov
On 08.08.2013, at 13:41, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, Aug 08, 2013 at 12:45:31PM +0400, Vladimir Akhmarov wrote:
Hello,
I have a strange problem using new "id_provider = ad" and
"ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com" option. The problem is that I always can log on to the system no matter the user is member of the ldap_filter group or not. I want to filter out all domain users except those that are member of special group named "Linux Admins". Please help me to resolve this issue. In the attachment there are sssd logs.
Here are some technical info:
Active Directory 2008 R2 CentOS 6.4
[root@testlinux ~]# uname -a Linux testlinux 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16
23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@testlinux ~]# sssd --version 1.9.2
[root@testlinux ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-
sha1-96 arcfour-hmac
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-
sha1-96 arcfour-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-
sha1-96 arcfour-hmac
[realms] EXAMPLE.COM = { }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
[root@testlinux ~]# cat /etc/samba/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = *
[root@testlinux ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 0x2000
[nss] override_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 0x2000
[pam] debug_level = 0x2000
[domain/example.com] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ldap_schema = ad ldap_referrals = false ldap_id_mapping = true ldap_force_upper_case_realm = true ldap_filter = memberOf=cn=Linux Admins,OU=Common
Groups,DC=example,DC=com
cache_credentials = false debug_level = 0x2000
Are you sure the user you are logging in as is a member of Linux Admins?
Can you send another round of logs this time with debug_level = 7 ? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Aug 08, 2013 at 08:07:19PM +0400, Vladimir Akhmarov wrote:
Hi, Will
I have already double checked and yes you are right. My mistake, not "ldap_filter" just "ldap_access_filter" was right. I have checked my first config with "id_provider = ad" with no luck. So GSSAPI + access_provider = ldap are the necessary parts of my config. Now everything is working as expected. Thank you, Jakub, Will.
Ah, thanks Will! I completely missed the typo and just checked that there is a filter..
I'm glad it's working now!
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Vladimir Akhmarov -
Will_Darton@navyfederal.org