On Wed, 18 Mar 2015, Guertin, David S. wrote:
I've almost got AD integration going, except for the minor detail that no one
can log in. When an AD user tries to SSH in to the IPA server, /var/log/secure
shows:
------------------------------------------
Mar 18 13:59:08 genet sshd[21335]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=tundra.middlebury.edu
user=MIDD\guertin-s
Mar 18 13:59:09 genet sshd[21335]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=tundra.middlebury.edu
user=MIDD\guertin-s
Mar 18 13:59:10 genet sshd[21335]: pam_sss(sshd:account): Access denied for
user MIDD\guertin-s: 6 (Permission denied)
Mar 18 13:59:10 genet sshd[21335]: Failed password for MIDD\\guertin-s from
140.233.6.66 port 59707 ssh2
Mar 18 13:59:10 genet sshd[21335]: fatal: Access denied for user
MIDD\\\\guertin-s by PAM account configuration [preauth]
------------------------------------------
So pam_sss is responding with "permission denied".
pam_sss verifies your right to access a service by seeing if there is an
HBAC rule that allows it. HBAC rules are to allow what is denied by
default.
In standard FreeIPA setup we have 'allow_all' HBAC rule which roughly
states "anyone can access any service on any host". Did you disable this
rule?
If yes, then you have to have an explicit rules allowing access to
specific services.
See examples in 'ipa trust' and 'ipa hbacrule'. Without arguments any
topic level command in IPA CLI prints a help, there are examples of use
of commands from those topics.
To create HBAC rules for AD users you first need to create a grouping
for them in IPA ('ipa trust' has explicit example how to do that) and
then define an HBAC rule to allow that POSIX group to access sshd
service.
HBAC services are PAM service names (i.e. /etc/pam.d/<name>).
Everything looks normal here to me, until "[pam_dp_process_reply]
(0x0100): received: [6]", after which the client disconnects. Can
someone help with PAM configuration to get this to work?
As described in the documentation, my ad_users group contains the group
ad_users_external, which contains the AD group rhidm_users:
# ipa group-show ad_users
Group name: ad_users
Description: AD users
GID: 1447200005
Member groups: ad_users_external
# ipa group-show ad_users_external
Group name: ad_users_external
Description: AD users external map
Member of groups: ad_users
External member: [email protected]?
Right, so you have ad_users group now and need to define an HBAC rule
allowing it an access to sshd service.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
