In order to ssh using AD account i had to comment out this line in password-auth:
password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
prior to doing so i was getting this error in /etc/log/secure:
pam_sss(sshd:account): Access denied for user : 4 (system error)
and my ssh session immediately terminated. has anyone else seen this and know why pam_sss.so is upset?
Implemented AD/KRB/SSSD with both RH6 and RH7.
RH7 no issues, as we are using auto_private_groups that was added to 1.16.1.
In RH6 the issue ( sssd 1.13 ) is, that all users getting the same groups and it is a clear security gap.
The only way to avoid this, based on the KB articles, is to use AD posix attributes. If we don't waht to use this setup, is there any other recommended way ?
The example of user/group representation, where all users getting the same gid=273200513(domain users) :
id username uid=2755191114(ncircle) gid=273200513(domain users) groups=273200513(domain users)