Hello everyone.
I managed to configure ssh login for users by using pam_sss to our AD.
The users use their usePrincipalName to authenticate. The providers for
each of the domains are:
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
For the main domain this configuration works perfectly because the
sAMAccountName is the same as the name(the first part from the
user(a)domain.tld).
But when I tried to configure one of the other domains I stuck in a
following problem:
The sAMAccountName of the users is differ than the UPN. For example user
with UPN "test.linksync(a)linkoffice.fr" has a SAM "LINKSYNC".
When I try to get the user info for this by:
getent passwd test.linksync(a)linkoffice.fr
the authentication providers tries to get the user object from the LDAP
with the following filter:
[(&(userPrincipalName=test.linksync)(objectclass=user)(userPrincipalName=*)(objectSID=*))]
I thing that the problem here is with the id_provider. I tried to
configure the re_expression and full_name_format options but they did
not change anything in the request filter.
Is there а way to change the behavior with which the id_provider gets
the user object from the tree. For example I want to ask the ldap with
the format user@domain and not only name.
For example users logs with "test.linksync(a)linkoffice.fr" and the
request for the id should be
[(&(userPrincipalName=test.linksync(a)linkoffice.fr)(objectclass=user)(userPrincipalName=*)(objectSID=*))]
The problematic configuraion of the domain is the following:
[domain/linkoffice.fr]
debug_level = 10
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
use_fully_qualified_names = true
ldap_access_filter = memberOf=CN=008 VDI
ACCESS,OU=Security,OU=Groups,OU=008,OU=Clients,DC=008dn,DC=domain,DC=tld
ldap_uri = ldap://008-010-01.008dn.domain.tld
ldap_sasl_mech = GSSAPI
ldap_id_mapping = true
ldap_schema = ad
ldap_referrals = False
ldap_search_base = dc=008dn,dc=domain,dc=tld
ldap_user_search_base = dc=008dn,dc=domain,dc=tld
ldap_user_object_class = user
ldap_group_search_base = dc=008dn,dc=domain,dc=tld
ldap_group_object_class = group
ldap_user_name = userPrincipalName
ldap_user_member_of = memberOf
ldap_access_order = filter
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True
krb5_realm = DOMAIN.TLD
krb5_canonicalize = False
krb5_server = 007-010-01.domain.tld:88
krb5_kpasswd = 007-010-01.domain.tld:88
krb5_use_enterprise_principal = True
override_homedir = /home/%d-%u
override_shell = /bin/bash
Thanks in advance.