On 3/20/2023 4:10 AM, Alexey Tikhonov wrote:
Did you try it with other domains (i.e. non-local users)?
Yes, I have systems configured into LDAP as shown in the configuration below. I've never tried before, but it seems I can also login as 'user@domain', which also appears to pass that explicit string to other parts of the login process and the logs:
Mar 20 12:20:24 login-dev-01 sshd[1140132]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.104.223.252 user=henson@cpp Mar 20 12:20:35 login-dev-01 sshd[1140072]: Postponed keyboard-interactive for henson@cpp from 10.104.223.252 port 37802 ssh2 [preauth] Mar 20 12:20:36 login-dev-01 sshd[1140072]: Connection closed by authenticating user henson@cpp 10.104.223.252 port 37802 [preauth]
I don't really want anything other than the explicit username all by itself to be able to be used to login or to show up in the logs. In my opinion, that should be the default configuration, and being able to login using different domain suffixes should be an option. Particularly for people that simply migrated from nss_ldap suddenly having variations of usernames that were not previously valid show up in the logs or be accepted is surprising. That's a different issue though, as opposed to ignoring prepended @'s in usernames which seems buggy.
Thanks… -------------------------- [sssd] domains = cpp [domain/cpp] timeout = 10 dns_discovery_domain = cpp.edu id_provider = ldap sudo_provider = none auth_provider = none chpass_provider = none ignore_group_members = TRUE ldap_uri = ldap://ldap.cpp.edu/ ldap_id_use_start_tls = true ldap_search_base = dc=cpp,dc=edu ldap_user_search_base = ou=user,dc=cpp,dc=edu ldap_group_search_base = ou=group,dc=cpp,dc=edu ldap_user_gecos = displayname ldap_group_name = uid entry_cache_nowait_percentage = 50 entry_cache_user_timeout = 1800 entry_cache_group_timeout = 1800 _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
