Hi,
that's actually what we tried:
> [sssd]
> domains = fsmpi.rwth-aachen.de
> config_file_version = 2
> services = nss, pam
>
> [pam]
> offline_credentials_expiration = 1
> offline_failed_login_attempts = 3
> offline_failed_login_delay = 0
>
> [domain/fsmpi.rwth-aachen.de]
> ad_domain =
On Wed, Sep 11, 2019 at 3:05 PM Hinrikus Wolf
wrote:
> ldap_search_base =
> dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Putting an (objectClass=user) filter in
On Wed, Sep 11, 2019 at 09:04:40PM +0200, Hinrikus Wolf wrote:
> Hi,
>
> that's actually what we tried:
>
>
> > [sssd]
> > domains = fsmpi.rwth-aachen.de
> > config_file_version = 2
> > services = nss, pam
> >
> > [pam]
> > offline_credentials_expiration = 1
> >
Hi,
I am running sssd-1.16.4-21.el7.x86_64 (from CR repo) on a CentOS 7 client. I
authenticate to AD 2016, and control access to servers using GPO. For some
reason, a completely unprivileged user in AD is allowed to login, and I'd like
to understand why.
Here's a sanitized sssd.conf:
[sssd]
Even when I reconfigure AD to make sure there is no applicable GPO's found, I'm
still granted access with my unprivileged user.
[ad_gpo_access_check] (0x0400): RESULTANT POLICY:
[ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive
[ad_gpo_access_check] (0x0400): allowed_size = 0
On 9/11/19 10:56 AM, Emil Petersson wrote:
Even when I reconfigure AD to make sure there is no applicable GPO's found, I'm
still granted access with my unprivileged user.
[ad_gpo_access_check] (0x0400): RESULTANT POLICY:
[ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive