I've been struggling with this all day and I'm getting nowhere. We're wanting to migrate from a 389-DS authenticated network to FreeIPA. We have a few Linux servers scattered around the world that authenticate against our current 389 directory and we're wanting to do this with minimal changes to these servers. The thought process is to perform LDAP auth against FreeIPA and filter access permissions by way of an LDAP access filter based on group membership as we are currently doing with 389, so we just need to make config changes to sssd to point to the new servers (and install the required certificate to do so).
FreeIPA servers are already setup and replicating. Set up a couple of test groups and a handful of test user accounts. I can successfully authenticate these users, but I get a permission denied seemingly at the access filter stage.
Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.66.67.69 user=markj Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:account): Access denied for user markj: 6 (Permission denied)
Same result for a console login. To test this, I changed the access_provider to 'permit' and I can successfully log in to the server. So, it's as if I'm having issues with my access filter, but everything I've tried is giving me the same result. I've used these same filters in ldapsearch tests and they seem to work fine. For instance, I've created a group called "serveradmins" and placed a couple of users in that group. My sssd.conf ldap_access_filter looks like this:
access_provider = ldap ldap_access_filter = memberOf=cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
But that just isn't working. However, if I issue the following, I can see the group members:
$ ldapsearch -x -W -LLL -H ldap://ussv4p6004.ipa.domain.com -b cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com -D "uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" Enter LDAP Password: dn: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=mark,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com cn: serveradmins objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject ipaUniqueID: 2e489422-36c2-11ec-a8a8-52540031af07
I've tried different groups including the default 'ipausers' group which everyone is a member of but I'm getting nowhere.
For the record, here's a snippet from the server audit.log when I fail to login. Not sure if that "PAM:accounting grantors=?" bit where the USER_ACCT fails is indicative of the problem or not but if so, I'm not sure what that means and how to resolve it. However, the same server works on the old 389 directory using LDAP auth - just have no idea what I'm missing.
type=USER_AUTH msg=audit(1635321247.300:1039): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.664:1040): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=success' type=USER_ACCT msg=audit(1635321252.855:1041): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.856:1042): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed'
Am Wed, Oct 27, 2021 at 07:58:50AM -0000 schrieb Mark Johnson via FreeIPA-users:
I've been struggling with this all day and I'm getting nowhere. We're wanting to migrate from a 389-DS authenticated network to FreeIPA. We have a few Linux servers scattered around the world that authenticate against our current 389 directory and we're wanting to do this with minimal changes to these servers. The thought process is to perform LDAP auth against FreeIPA and filter access permissions by way of an LDAP access filter based on group membership as we are currently doing with 389, so we just need to make config changes to sssd to point to the new servers (and install the required certificate to do so).
FreeIPA servers are already setup and replicating. Set up a couple of test groups and a handful of test user accounts. I can successfully authenticate these users, but I get a permission denied seemingly at the access filter stage.
Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.66.67.69 user=markj Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:account): Access denied for user markj: 6 (Permission denied)
Same result for a console login. To test this, I changed the access_provider to 'permit' and I can successfully log in to the server. So, it's as if I'm having issues with my access filter, but everything I've tried is giving me the same result. I've used these same filters in ldapsearch tests and they seem to work fine. For instance, I've created a group called "serveradmins" and placed a couple of users in that group. My sssd.conf ldap_access_filter looks like this:
access_provider = ldap ldap_access_filter = memberOf=cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com
Hi,
one possible solution might be to do it the FreeIPA way and create and HBAC rule which allows members of the group to log in with all services. With this all configuration will be done on the server side and you do not need additional options in sssd.conf on the client.
If you prefer to use 'access_provider = ldap' you might need some more LDAP provider specific options. Although the IPA provider is using LDAP as well the options are not shared here. To figure out waht is missing it might be most easy to add 'debug_level = 9' in the [domain/...] section of sssd.conf, restart SSSD, try to login again and the check the backend logs. The access control part in the log can be found by searching for 'PAM Account #' there is this string with a number at the start and the end of the access control validation.
HTH
bye, Sumit
But that just isn't working. However, if I issue the following, I can see the group members:
$ ldapsearch -x -W -LLL -H ldap://ussv4p6004.ipa.domain.com -b cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com -D "uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" Enter LDAP Password: dn: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=mark,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com cn: serveradmins objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject ipaUniqueID: 2e489422-36c2-11ec-a8a8-52540031af07
I've tried different groups including the default 'ipausers' group which everyone is a member of but I'm getting nowhere.
For the record, here's a snippet from the server audit.log when I fail to login. Not sure if that "PAM:accounting grantors=?" bit where the USER_ACCT fails is indicative of the problem or not but if so, I'm not sure what that means and how to resolve it. However, the same server works on the old 389 directory using LDAP auth - just have no idea what I'm missing.
type=USER_AUTH msg=audit(1635321247.300:1039): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.664:1040): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=success' type=USER_ACCT msg=audit(1635321252.855:1041): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.856:1042): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed' _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thank you very much Sumit, I think you may have pointed me in the right direction. Haven't resolved it yet, but I have a hunch what the issue might be. I compared the debug_level 9 output from this and also using our existing 389 authentication.
IPA: (2021-10-27 21:25:11): [be[ipa.domain.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com))][uid=markj,cn=users,cn=compat,dc=ipa,dc=domain,dc=com]. (2021-10-27 21:25:11): [be[ipa.domain.com]] [sdap_access_filter_done] (0x0100): User [markj@ipa.domain.com] was not found with the specified filter. Denying access. (2021-10-27 21:25:11): [be[ipa.domain.com]] [sdap_access_filter_done] (0x0400): Access denied by online lookup
389: (2021-10-27 21:47:45): [be[domain.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=ServerAdmins,ou=Groups,dc=domain,dc=com))][uid=markj,ou=People,dc=domain,dc=com]. (2021-10-27 21:47:46): [be[domain.com]] [sdap_access_filter_done] (0x0400): Access granted by online lookup
Further testing via ldapsearch seems to indicate the difference being that I can get group membership information from an unauthenticated bind in 389 but not with IPA. I think I just need to modify my sssd.conf for an authenticated bind and I think that might resolve the issue. Hopefully.
Unfortunately, that didn't solve the issue. sssd.conf is now configured with an authenticated bind, authentication phase still passes for the user, but access phase is still failing with the same filter error. Using the exact filter shown in the logs works fine from ldapsearch, however.
$ ldapsearch -x -LLL -b "dc=ipa,dc=domain,dc=com" -H ldap://ussv4p6004.ipa.domain.com "(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com))" -D "uid=admin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" -W Enter LDAP Password: dn: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com memberOf: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com memberOf: cn=users,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com <etc>
Back to the drawing board.
OK, I finally managed to get a successful login using an ldap access filter. The filter wasn't the real issue. I noticed from the debug logs in sssd that the DN didn't look right (cn=compat instead of cn=accounts):
[sdap_save_user] (0x2000): Adding originalDN [uid=markj,cn=users,cn=compat,dc=ipa,dc=domain,dc=com] to attributes of [markj@ipa.domain.com]
Also noticed this when looking through the logs:
(2021-10-27 21:25:10): [be[ipa.domain.com]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (2021-10-27 21:25:10): [be[ipa.domain.com]] [sdap_get_initgr_user] (0x0200): The search returned 2 entries, need to match the correct one (2021-10-27 21:25:10): [be[ipa.domain.com]] [sdap_get_initgr_user] (0x4000): Storing the user
So, the access search looked like this
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=serveraccess,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com))][uid=markj,cn=users,cn=compat,dc=ipa,dc=domain,dc=com].
These findings seems to suggest that the user account can be found both via ldap, but only one is correct and sssd is choosing the wrong one, hence the access failure. So, I added the following to the domain section of sssd.conf and now the search works correctly and I can now restrict access based on group membership:
ldap_default_bind_dn = uid=admin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com
I also added the following line, but I don't see any noticeable difference with or without it so far. Leaving it in there because it might be important for something:
ldap_schema = IPA
Am Thu, Oct 28, 2021 at 02:16:25AM -0000 schrieb Mark Johnson via FreeIPA-users:
OK, I finally managed to get a successful login using an ldap access filter. The filter wasn't the real issue. I noticed from the debug logs in sssd that the DN didn't look right (cn=compat instead of cn=accounts):
[sdap_save_user] (0x2000): Adding originalDN [uid=markj,cn=users,cn=compat,dc=ipa,dc=domain,dc=com] to attributes of [markj@ipa.domain.com]
Also noticed this when looking through the logs:
(2021-10-27 21:25:10): [be[ipa.domain.com]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (2021-10-27 21:25:10): [be[ipa.domain.com]] [sdap_get_initgr_user] (0x0200): The search returned 2 entries, need to match the correct one (2021-10-27 21:25:10): [be[ipa.domain.com]] [sdap_get_initgr_user] (0x4000): Storing the user
So, the access search looked like this
Hi,
yes, if you have enabled the compat-tree in the IPA servers searches with the baseDN (dc=ipa,dc=domain,dc=com) will find the objects in two trees, cn=compat and cn=accounts.
Another way to avoid this is it set 'ldap_user_search_base' explicitly to 'cn=accounts,dc=ipa,dc=domain,dc=com'.
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=markj)(objectclass=posixAccount)(memberOf=cn=serveraccess,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com))][uid=markj,cn=users,cn=compat,dc=ipa,dc=domain,dc=com].
These findings seems to suggest that the user account can be found both via ldap, but only one is correct and sssd is choosing the wrong one, hence the access failure. So, I added the following to the domain section of sssd.conf and now the search works correctly and I can now restrict access based on group membership:
ldap_default_bind_dn = uid=admin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com
The memberOf attributes are only visible after an authenticated bind. But please do not use the admin user here. I would suggest to try to set
ldap_sasl_mech = GSSAPI
instead. This should tell SSSD to do a SASL bind with the help of the host keys from the default keytab as the IPA provider is already doing it.
HTH
bye, Sumit
I also added the following line, but I don't see any noticeable difference with or without it so far. Leaving it in there because it might be important for something:
ldap_schema = IPA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org