Hi Jakub. Thank you for the reply. I still have no success. Did try the AllowGroup in sshd_config but with no luck.
So I did a bit more investigation on pam_access and think that pam_access and pam_sss might be locking each other out. So I will try to explain my setup. In sssd.conf we use the "simple_allow_groups" for access for users and admins. The config loooks like: /etc/sssd/sssd.conf: [sssd] services = nss, pam #debug_level = 9 config_file_version = 2 domains = example.dk default_domain_suffix = EXAMPLE.DK use_fully_qualified_names = TRUE [autofs] [nss] #debug_level = 9 reconnection_retries = 3 [pam] #debug_level = 9 reconnection_retries = 100 # allow PAM to cache user details for this long # this can improve login times # but it also delays AD changes from being seen pam_id_timeout = 600 [domain/example.dk] id_provider = ad #debug_level = 6 auth_provider = ad access_provider = simple ldap_id_mapping = False simple_allow_groups = [email protected], [email protected] chpass_provider = ad ad_gpo_access_control = disabled override_homedir = /user/%d/%u override_shell = /bin/bash dyndns_update = True dyndns_refresh_interval = 43200 dyndns_update_ptr = True auto_private_groups = True With this ssh and /bin/login works for members of AD groups. Now i have created a local group and added ad users to this sudo addgroup example sudo usermod -a -G example [email protected] [email protected] is not member of the simple_allow_groups groups. Now i haved enabled pam_access.so in both /etc/pam.d/login and sshd login (I have removed all comments, for readability): # # The PAM configuration file for the Shadow `login' service # auth optional pam_faildelay.so delay=3000000 auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so auth requisite pam_nologin.so session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_group.so account required pam_access.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard session optional pam_keyinit.so force revoke @include common-account @include common-session @include common-password sshd: # PAM configuration for the Secure Shell service @include common-auth account required pam_nologin.so account required pam_access.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password When i dug into auth.log it seemed like sssd authenticated the users, but denied due to simple_allow_groups, so i changed access_provider = simple to access_provider = permit and restarted sssd. Now all users are allowed to login if AD autenticates them. Now i added the following to /etc/security/access.conf + : (example) : ALL - : ALL except root [email protected] : ALL restarted sshd and sssd just to be sure. Now i get the following error Jun 14 10:47:37 example01 sshd[89937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 [email protected] Jun 14 10:47:37 example01 sshd[89937]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 [email protected] Jun 14 10:47:37 example01 sshd[89937]: pam_access(sshd:account): access denied for user `[email protected]' from `10.14.1.2' Jun 14 10:47:37 example01 sshd[89937]: Failed password for [email protected] from 10.14.1.2 port 52944 ssh2 Jun 14 10:47:37 example01 sshd[89937]: fatal: Access denied for user [email protected] by PAM account configuration [preauth] If I change the "- : ALL except root [email protected] : ALL" to "- : ALL except root EXAMPLE\aduser [email protected] : ALL" the aduser@example is allowed to login. I just tested it also works with + : EXAMPLE\aduser : ALL - : ALL except root [email protected] : ALL So it seems like the group is not evaluated correctly? OS is Ubuntu 18.04.2 LTS Best Regards, Mads. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
