[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?
Thanks a lot, it works. Changed simple_allow_groups = Simple Users(a)FOOBAR.GLOBAL to simple_allow_groups = Simple Users(a)FOOBAR_NOLOGIN.GLOBAL and it works as intended. One thing to keep in mind: These AD users must now be referenced in Linux (e.g. in /etc/sudoers) not by their AD domain of origin but by their sssd section domain, e.g simpleuser@FOOBAR_NOLOGIN.GLOBAL. For simplicity I also changed the other sssd section to [domain/FOOBAR.GLOBAL], and works fine. Many thanks for your assistance. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?
SSSD logs would show this better, but I wonder if this is related to also using the AD domain name in the simple access filter. Do logins work if you use the name of the sssd section there instead of the AD domain name? Or, do the logins work if you comment out the access provider for a test? > On 3 Sep 2018, at 10:32, D R wrote: > > An user belonging to the Simple Users group is resolved correctly via either > one of these commands: > > id simpleuser@FOOBAR_NOLOGIN.GLOBAL > id simpleuser@FOOBAR.GLOBAL > > Similarly, an user belonging to the Administrators group can be seen via > either one of these commands: > > id adminuser@FOOBAR_ADMINS.GLOBAL > id adminuser@FOOBAR.GLOBAL > > However, no user is able to log in. I've tried all these commands: > > ssh simpleuser@FOOBAR_NOLOGIN.GLOBAL@ > ssh simpleuser@FOOBAR.GLOBAL@ > ssh adminuser@FOOBAR_ADMINS.GLOBAL@ > ssh adminuser@FOOBAR.GLOBAL@ > > Here's the ssh -vvv output after that requests the password: > > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > Authentication failed. > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?
An user belonging to the Simple Users group is resolved correctly via either one of these commands: id simpleuser@FOOBAR_NOLOGIN.GLOBAL id simpleuser@FOOBAR.GLOBAL Similarly, an user belonging to the Administrators group can be seen via either one of these commands: id adminuser@FOOBAR_ADMINS.GLOBAL id adminuser@FOOBAR.GLOBAL However, no user is able to log in. I've tried all these commands: ssh simpleuser@FOOBAR_NOLOGIN.GLOBAL@ ssh simpleuser@FOOBAR.GLOBAL@ ssh adminuser@FOOBAR_ADMINS.GLOBAL@ ssh adminuser@FOOBAR.GLOBAL@ Here's the ssh -vvv output after that requests the password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply Authentication failed. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?
> On 31 Aug 2018, at 17:34, Daniele Raffo wrote: > > Hello, > > I'm trying to define two sssd groups in order to assign a different login > shell to AD users belonging to two different AD groups in our domain > FOOBAR.GLOBAL. > However, all users are unable to login and get an error "Authentication > failed”. Are you able to at least resolve the users? What exact name are you using to resolve the users, username@foobar_nologin.global or username@foobar.global? The former would work, the latter would not. btw if all you want is to munge the shell based on group memberships, maybe the sss_override tool would help? > If I change a sssd section to [domain/FOOBAR.GLOBAL] so to reflect the > existing AD domain, users defined in that sssd group are able to login. > However, clearly in this way I cannot define more than one section. > Why is that? How to define sssd sections with names different than the > existing AD domain? > > Thanks in advance. Below is my sssd.conf. > > > [sssd] > domains = FOOBAR_ADMINS.GLOBAL,FOOBAR_NOLOGIN.GLOBAL > config_file_version = 2 > services = nss, pam > > [domain/FOOBAR_NOLOGIN.GLOBAL] > ldap_user_search_filter = (memberOf=CN=Simple Users,OU=Security > Groups,DC=FOOBAR,DC=GLOBAL) > default_shell = /bin/sh > ad_server = ad01.foobar.global > ad_domain = FOOBAR.GLOBAL > krb5_realm = FOOBAR.GLOBAL > realmd_tags = manages-system joined-with-adcli > cache_credentials = False > id_provider = ad > krb5_store_password_if_offline = True > ldap_id_mapping = True > use_fully_qualified_names = True > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = Simple Users@FOOBAR.GLOBAL > > [domain/FOOBAR_ADMINS.GLOBAL] > ldap_user_search_filter = (memberOf=CN=Administrators,OU=Security > Groups,DC=FOOBAR,DC=GLOBAL) > default_shell = /bin/bash > ad_server = ad01.foobar.global > ad_domain = FOOBAR.GLOBAL > krb5_realm = FOOBAR.GLOBAL > realmd_tags = manages-system joined-with-adcli > cache_credentials = False > id_provider = ad > krb5_store_password_if_offline = True > ldap_id_mapping = True > use_fully_qualified_names = True > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = Administrators@FOOBAR.GLOBAL > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?
If you're reading this via web, note that the @ sign got mutated to (a) in the simple_allow_groups configuration lines. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
