On Fri, Jun 14, 2019 at 09:22:17AM -0000, Mads Boye wrote:
Hi Jakub.
Thank you for the reply. I still have no success.
Did try the AllowGroup in sshd_config but with no luck.
So I did a bit more investigation on pam_access and think that pam_access and pam_sss
might be locking each other out.
So I will try to explain my setup.
In sssd.conf we use the "simple_allow_groups" for access for users and admins.
The config loooks like:
/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
#debug_level = 9
config_file_version = 2
domains = example.dk
default_domain_suffix = EXAMPLE.DK
use_fully_qualified_names = TRUE
[autofs]
[nss]
#debug_level = 9
reconnection_retries = 3
[pam]
#debug_level = 9
reconnection_retries = 100
# allow PAM to cache user details for this long
# this can improve login times
# but it also delays AD changes from being seen
pam_id_timeout = 600
[domain/example.dk]
id_provider = ad
#debug_level = 6
auth_provider = ad
access_provider = simple
ldap_id_mapping = False
simple_allow_groups = serveradmins(a)example.dk, hostaccess(a)example.dk
chpass_provider = ad
ad_gpo_access_control = disabled
override_homedir = /user/%d/%u
override_shell = /bin/bash
dyndns_update = True
dyndns_refresh_interval = 43200
dyndns_update_ptr = True
auto_private_groups = True
With this ssh and /bin/login works for members of AD groups.
Now i have created a local group and added ad users to this
sudo addgroup example
sudo usermod -a -G example aduser(a)example.dk
aduser(a)example.dk is not member of the simple_allow_groups groups.
Now i haved enabled pam_access.so in both /etc/pam.d/login and sshd
login (I have removed all comments, for readability):
#
# The PAM configuration file for the Shadow `login' service
#
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so
close
session required pam_loginuid.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
account required pam_access.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
sshd:
# PAM configuration for the Secure Shell service
@include common-auth
account required pam_nologin.so
account required pam_access.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
When i dug into auth.log it seemed like sssd authenticated the users, but denied due to
simple_allow_groups, so i changed
access_provider = simple to access_provider = permit and restarted sssd.
Now all users are allowed to login if AD autenticates them.
Now i added the following to /etc/security/access.conf
+ : (example) : ALL
- : ALL except root my-mail(a)example.dk : ALL
restarted sshd and sssd just to be sure.
Now i get the following error
Jun 14 10:47:37 example01 sshd[89937]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser(a)example.dk
Jun 14 10:47:37 example01 sshd[89937]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 user=aduser(a)example.dk
Jun 14 10:47:37 example01 sshd[89937]: pam_access(sshd:account): access denied for user
`aduser(a)example.dk' from `10.14.1.2'
Jun 14 10:47:37 example01 sshd[89937]: Failed password for aduser(a)example.dk from
10.14.1.2 port 52944 ssh2
Jun 14 10:47:37 example01 sshd[89937]: fatal: Access denied for user aduser(a)example.dk by
PAM account configuration [preauth]
If I change the "- : ALL except root my-mail(a)example.dk : ALL" to "- : ALL
except root EXAMPLE\aduser my-mail(a)example.dk : ALL"
the aduser@example is allowed to login.
I just tested it also works with
+ : EXAMPLE\aduser : ALL
- : ALL except root my-mail(a)example.dk : ALL
So it seems like the group is not evaluated correctly?
I guess.. when you have the access control disabled and log in with
aduser@example and then run "id", does it show the group example?
maybe the 'debug' parameter of pam_access.so could help here..
> OS is Ubuntu 18.04.2 LTS
>
> Best Regards,
> Mads.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...