On Fri, Jun 14, 2019 at 09:22:17AM -0000, Mads Boye wrote: > Hi Jakub. > Thank you for the reply. I still have no success. > > Did try the AllowGroup in sshd_config but with no luck. > > So I did a bit more investigation on pam_access and think that pam_access and > pam_sss might be locking each other out. > > So I will try to explain my setup. > In sssd.conf we use the "simple_allow_groups" for access for users and admins. > The config loooks like: > /etc/sssd/sssd.conf: > [sssd] > services = nss, pam > #debug_level = 9 > config_file_version = 2 > domains = example.dk > default_domain_suffix = EXAMPLE.DK > use_fully_qualified_names = TRUE > > [autofs] > > [nss] > #debug_level = 9 > reconnection_retries = 3 > > [pam] > #debug_level = 9 > reconnection_retries = 100 > # allow PAM to cache user details for this long > # this can improve login times > # but it also delays AD changes from being seen > pam_id_timeout = 600 > > [domain/example.dk] > id_provider = ad > #debug_level = 6 > auth_provider = ad > access_provider = simple > ldap_id_mapping = False > > simple_allow_groups = [email protected], [email protected] > chpass_provider = ad > ad_gpo_access_control = disabled > override_homedir = /user/%d/%u > override_shell = /bin/bash > dyndns_update = True > dyndns_refresh_interval = 43200 > dyndns_update_ptr = True > auto_private_groups = True > > With this ssh and /bin/login works for members of AD groups. > Now i have created a local group and added ad users to this > sudo addgroup example > sudo usermod -a -G example [email protected] > > [email protected] is not member of the simple_allow_groups groups. > Now i haved enabled pam_access.so in both /etc/pam.d/login and sshd > > login (I have removed all comments, for readability): > # > # The PAM configuration file for the Shadow `login' service > # > auth optional pam_faildelay.so delay=3000000 > auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad > default=die] pam_securetty.so > auth requisite pam_nologin.so > > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > session required pam_loginuid.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 envfile=/etc/default/locale > > @include common-auth > > auth optional pam_group.so > account required pam_access.so > session required pam_limits.so > session optional pam_lastlog.so > session optional pam_motd.so motd=/run/motd.dynamic > session optional pam_motd.so noupdate > session optional pam_mail.so standard > session optional pam_keyinit.so force revoke > > @include common-account > @include common-session > @include common-password > > sshd: > # PAM configuration for the Secure Shell service > @include common-auth > account required pam_nologin.so > account required pam_access.so > @include common-account > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > session required pam_loginuid.so > session optional pam_keyinit.so force revoke > @include common-session > session optional pam_motd.so motd=/run/motd.dynamic > session optional pam_motd.so noupdate > session optional pam_mail.so standard noenv # [1] > session required pam_limits.so > session required pam_env.so # [1] > session required pam_env.so user_readenv=1 envfile=/etc/default/locale > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > @include common-password > > When i dug into auth.log it seemed like sssd authenticated the users, but > denied due to simple_allow_groups, so i changed > access_provider = simple to access_provider = permit and restarted sssd. > > Now all users are allowed to login if AD autenticates them. > Now i added the following to /etc/security/access.conf > + : (example) : ALL > - : ALL except root [email protected] : ALL > > restarted sshd and sssd just to be sure. > Now i get the following error > Jun 14 10:47:37 example01 sshd[89937]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 > [email protected] > Jun 14 10:47:37 example01 sshd[89937]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.1.2 > [email protected] > Jun 14 10:47:37 example01 sshd[89937]: pam_access(sshd:account): access > denied for user `[email protected]' from `10.14.1.2' > Jun 14 10:47:37 example01 sshd[89937]: Failed password for [email protected] > from 10.14.1.2 port 52944 ssh2 > Jun 14 10:47:37 example01 sshd[89937]: fatal: Access denied for user > [email protected] by PAM account configuration [preauth] > > If I change the "- : ALL except root [email protected] : ALL" to "- : ALL > except root EXAMPLE\aduser [email protected] : ALL" > the aduser@example is allowed to login. > > I just tested it also works with > + : EXAMPLE\aduser : ALL > - : ALL except root [email protected] : ALL > > So it seems like the group is not evaluated correctly?
I guess.. when you have the access control disabled and log in with aduser@example and then run "id", does it show the group example? maybe the 'debug' parameter of pam_access.so could help here.. > OS is Ubuntu 18.04.2 LTS > > Best Regards, > Mads. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
