Hi Spike, Though it's not directly related to SSSD, but your ssh config is a bit weird. Especially these "MaxSessions 999" lines. MaxSessions is not about simultaneous user sessions, it is about session multiplexing. It is used only if you are going to open multiple SSH sessions over a single TCP connection. This feature is not used often and many people are unaware of its existence. With this information in mind, maybe you don't need all these Match blocks at all? :-)
Kind regards, Grigory Trenin ср, 4 нояб. 2020 г. в 21:03, Spike White <spikewhit...@gmail.com>: > sssd professionals, > > Interesting problem; seems to be an interaction with sshd daemon when > using an AD back-end. > > When using sssd (with an AD back-end), what should my “Match” blocks in > /etc/ssh/sshd_config file look like for over-riding user values? > > Right now, my Match blocks look like: > > MaxSessions 10 > > .... > > Match User SERVICEPPTPRDVRA > > MaxSessions 999 > > ClientAliveInterval 360 > > ClientAliveCountMax 3 > > > > Match User SERVICEPPTPRDDCA > > MaxSessions 999 > > ClientAliveInterval 360 > > ClientAliveCountMax 3 > > > > And in the system log files, it looks like: > > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug2: parse_server_config: > config reprocess config len 1479 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for > 'User SERVICEPPTPRDVRA' user SERVICEPPTPRDVRA host 10.175.99.51 addr > 10.175.99.51 laddr 10.174.120.203 lport 22 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug1: user SERVICEPPTPRDVRA > matched 'User SERVICEPPTPRDVRA' at line 158 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match found > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:159 > setting MaxSessions 999 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:160 > setting ClientAliveInterval 360 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:161 > setting ClientAliveCountMax 3 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for > 'User SERVICEPPTPRDDCA' user SERVICEPPTPRDVRA host 10.175.99.51 addr > 10.175.99.51 laddr 10.174.120.203 lport 22 > Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match not found > > > > Here's where it gets weird. Because this is an AD back-end, by default > sssd is setting > > case_sensitive = false > > That is, it matches any case of user names. Examples: > > SERVICEPPTPRDVRA > > servicepptprdvra > > ServicePPTPrdVra > > However, I notice that sssd maps all the user names to lowercase once > you’re fully logged in. (this is what's desired.) > > > > Example: > > > > [root@peplpc1mom01 ssh]# su -l SERVICEPPTPRDVRA > > Last login: Wed Nov 4 10:03:31 CST 2020 on pts/12 > > [servicepptprdvra@peplpc1mom01 ~]$ id > > uid=3001425(servicepptprdvra) gid=3001425(servicepptprdvra) > groups=3001425(servicepptprdvra),1010(amerunixusers),2284221(puppetentrp) > > [servicepptprdvra@peplpc1mom01 ~]$ > > > > It looks like SSHD is looking at the raw “user name” input without any > processing for its match blocks. So I’m guessing this is before any PAM or > NSS processing. > > > Originally, I naively assumed that my Match blocks should be lowercase, as > that's what I see on the command line. But now I think it has to be > whatever raw input the user entered. > > > Spike > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
