On Mon, Mar 06, 2017 at 09:58:27PM -0000, Aleksey Maksimov wrote: > Hello SSSD guru's ! > > Need your advice. > > Current configuration on my web-server: > > # hostnamectl > ____________________________________________________________________________ > Operating System: Debian GNU/Linux 8 (jessie) > Kernel: Linux 3.16.0-4-amd64 > Architecture: x86-64 > > # sssd --version > ____________________________________________________________________________ > 1.11.7 > > # cat /etc/sssd/sssd.conf > ____________________________________________________________________________ > [sssd] > domains = ad.holding.com > config_file_version = 2 > services = nss, pam > default_domain_suffix = ad.holding.com > > [domain/ad.holding.com] > ad_server = dc01.ad.holding.com, dc02.ad.holding.com > ad_backup_server = dc05.ad.holding.com, dc07.ad.holding.com > ad_domain = ad.holding.com > krb5_realm = AD.HOLDING.COM > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > ldap_use_tokengroups = False > use_fully_qualified_names = True > fallback_homedir = /home/%d/%u > access_provider = simple > subdomains_provider = none > ldap_idmap_default_domain_sid = S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > simple_allow_groups = [email protected] > > # cat /etc/pam.d/common-account | grep sss > ____________________________________________________________________________ > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > # cat /etc/pam.d/common-auth | grep sss > ____________________________________________________________________________ > auth [success=1 default=ignore] pam_sss.so use_first_pass > > # cat /etc/pam.d/common-password | grep sss > ____________________________________________________________________________ > password sufficient pam_sss.so use_authtok > > # cat /etc/pam.d/common-session | grep sss > ____________________________________________________________________________ > session optional pam_sss.so > > > Now with this configuration everything is working fine. > Only users of the domain group > "[email protected]" can log in to the server. > > Now I need to allow connection to the server (Kerberos SSO to web site on > Apache) for other domain users. > > New domain group "[email protected]" must connect to the > Apache web server. But these users can not login on the server. > That is, users of group "SRV-WebServer-Operators" are not in group > "SRV-Linux-Servers-Administrators" > > Please tell me how, with the help of the SSSD/PAM/NSS, to properly restrict > access in this situation. > > So far I've created a custom PAM-service: > > # cat /etc/pam.d/apache2-operators > > auth required pam_sss.so > account required pam_sss.so > > And I set up a web server to use this PAM-service. > Here is a snippet of the working configuration of the web server: > > ... > <Directory "/sub/folder"> > # > # Kerberos SSO auth with PAM authz > # > AuthType Kerberos > AuthName "Kerberos Login" > Krb5Keytab /etc/apache2/Apache-AD-Krb.keytab > KrbAuthRealms AD.HOLDING.COM > KrbMethodK5Passwd off > # Require valid-user > Require pam-account apache2-operators > # > ... > </Directory> > ... > > Access to the site works if the user enters both the group > "SRV-Linux-Servers-Administrators" > But if the user does not belong to group "SRV-Linux-Servers-Administrators" > then he can not connect to the site. > > How can I allow a user from group "SRV-WebServer-Operators" to connect to the > site, but not allow logging in to the server?
Since you are using the AD provider, the best way would be to define a GPO policy on the server side, see man sssd-ad. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
