Hello SSSD guru's !
Need your advice.
Current configuration on my web-server:
# hostnamectl
____________________________________________________________________________
Operating System: Debian GNU/Linux 8 (jessie)
Kernel: Linux 3.16.0-4-amd64
Architecture: x86-64
# sssd --version
____________________________________________________________________________
1.11.7
# cat /etc/sssd/sssd.conf
____________________________________________________________________________
[sssd]
domains = ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix = ad.holding.com
[domain/ad.holding.com]
ad_server = dc01.ad.holding.com, dc02.ad.holding.com
ad_backup_server = dc05.ad.holding.com, dc07.ad.holding.com
ad_domain = ad.holding.com
krb5_realm = AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_use_tokengroups = False
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = simple
subdomains_provider = none
ldap_idmap_default_domain_sid = S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
simple_allow_groups = [email protected]
# cat /etc/pam.d/common-account | grep sss
____________________________________________________________________________
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# cat /etc/pam.d/common-auth | grep sss
____________________________________________________________________________
auth [success=1 default=ignore] pam_sss.so use_first_pass
# cat /etc/pam.d/common-password | grep sss
____________________________________________________________________________
password sufficient pam_sss.so use_authtok
# cat /etc/pam.d/common-session | grep sss
____________________________________________________________________________
session optional pam_sss.so
Now with this configuration everything is working fine.
Only users of the domain group
"[email protected]" can log in to the server.
Now I need to allow connection to the server (Kerberos SSO to web site on
Apache) for other domain users.
New domain group "[email protected]" must connect to the
Apache web server. But these users can not login on the server.
That is, users of group "SRV-WebServer-Operators" are not in group
"SRV-Linux-Servers-Administrators"
Please tell me how, with the help of the SSSD/PAM/NSS, to properly restrict
access in this situation.
So far I've created a custom PAM-service:
# cat /etc/pam.d/apache2-operators
auth required pam_sss.so
account required pam_sss.so
And I set up a web server to use this PAM-service.
Here is a snippet of the working configuration of the web server:
...
<Directory "/sub/folder">
#
# Kerberos SSO auth with PAM authz
#
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/apache2/Apache-AD-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
KrbMethodK5Passwd off
# Require valid-user
Require pam-account apache2-operators
#
...
</Directory>
...
Access to the site works if the user enters both the group
"SRV-Linux-Servers-Administrators"
But if the user does not belong to group "SRV-Linux-Servers-Administrators"
then he can not connect to the site.
How can I allow a user from group "SRV-WebServer-Operators" to connect to the
site, but not allow logging in to the server?
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
