|
Size: 1851
Comment:
|
Size: 3316
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 24: | Line 24: |
| ... Jun 29 03:21:30 arm-p02 sshd[4343]: pam_unix(sshd:session): session closed for user SmitX |
|
| Line 26: | Line 28: |
| == Config example == * # cat /etc/sssd/sssd.conf {{{ [sssd] config_file_version = 2 domains = my.domain.com services = nss, pam full_name_format = %1$s [nss] [pam] [domain/my.domain.com] id_provider = ldap access_provider = ldap ldap_access_filter = (memberOf=CN=Auth-Group,OU=Security,OU=Groups,OU=Production,DC=my,DC=domain,DC=com) cache_credentials = True ldap_uri = ldaps://ad-server.my.domain.com:636 ldap_search_base = OU=Business Users,OU=Users,OU=Production,DC=my,DC=domain,DC=com ldap_schema = AD ldap_default_bind_dn = CN=svc_AcctLinuxLDAP,OU=Service Accounts,OU=Users,OU=Production,DC=my,DC=domain,DC=com ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAxxxx...xxxxw== # Obtain the CA root certificate for your LDAPS connection. ldap_tls_cacert = /etc/pki/tls/certs/cacerts.pem ldap_tls_reqcert = allow # AWS SimpleAD doesn't provide a way to download # the CA root certificate at the moment. # This setting disables cert verification. #ldap_tls_reqcert = allow # Only if the LDAP directory doesn't provide uidNumber and gidNumber attributes ldap_id_mapping = True # Consider setting enumerate=False for very large directories enumerate = False # Only needed if LDAP doesn't provide homeDirectory and loginShell attributes fallback_homedir = /home/%u default_shell = /bin/bash }}} |
Linux/SssdADauth
- Using Windows active directory to authenticate Linux users, through sssd
Example login failure, in correct group but no local account (User was in wrong ldap_search_base)
Jun 29 02:12:20 arm-p02 sshd[25151]: Invalid user Smitxx from 10.x.x.x port 43508 Jun 29 02:12:20 arm-p02 sshd[25151]: input_userauth_request: invalid user Smitxxx [preauth] Jun 29 02:12:29 arm-p02 sshd[25151]: pam_unix(sshd:auth): check pass; user unknown Jun 29 02:12:29 arm-p02 sshd[25151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost Jun 29 02:12:31 arm-p02 sshd[25151]: Failed password for invalid user Smitxxx from 10.x.x.x port 43508 ssh2
Test with AD user in correct ldap_search_base but not in correct group ldap_access_filter
Jun 29 03:08:07 arm-p02 sshd[2630]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost user=SmitX Jun 29 03:08:07 arm-p02 sshd[2630]: pam_sss(sshd:account): Access denied for user SmitX: 6 (Permission denied) Jun 29 03:08:07 arm-p02 sshd[2630]: Failed password for SmitX from 10.2.1.1 port 53288 ssh2 Jun 29 03:08:07 arm-p02 sshd[2630]: fatal: Access denied for user SmitX by PAM account configuration [preauth]
Login working User in ldap_search_base and group for ldap_access_filter
Jun 29 03:17:27 arm-p02 sshd[4343]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost user=SmitX Jun 29 03:17:27 arm-p02 sshd[4343]: Accepted password for SmitX from 10.2.1.1 port 55038 ssh2 Jun 29 03:17:57 arm-p02 sshd[4343]: pam_systemd(sshd:session): Failed to create session: Connection reset by peer Jun 29 03:17:57 arm-p02 sshd[4343]: pam_unix(sshd:session): session opened for user SmitX by (uid=0) ... Jun 29 03:21:30 arm-p02 sshd[4343]: pam_unix(sshd:session): session closed for user SmitX
Config example
# cat /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = my.domain.com services = nss, pam full_name_format = %1$s [nss] [pam] [domain/my.domain.com] id_provider = ldap access_provider = ldap ldap_access_filter = (memberOf=CN=Auth-Group,OU=Security,OU=Groups,OU=Production,DC=my,DC=domain,DC=com) cache_credentials = True ldap_uri = ldaps://ad-server.my.domain.com:636 ldap_search_base = OU=Business Users,OU=Users,OU=Production,DC=my,DC=domain,DC=com ldap_schema = AD ldap_default_bind_dn = CN=svc_AcctLinuxLDAP,OU=Service Accounts,OU=Users,OU=Production,DC=my,DC=domain,DC=com ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAxxxx...xxxxw== # Obtain the CA root certificate for your LDAPS connection. ldap_tls_cacert = /etc/pki/tls/certs/cacerts.pem ldap_tls_reqcert = allow # AWS SimpleAD doesn't provide a way to download # the CA root certificate at the moment. # This setting disables cert verification. #ldap_tls_reqcert = allow # Only if the LDAP directory doesn't provide uidNumber and gidNumber attributes ldap_id_mapping = True # Consider setting enumerate=False for very large directories enumerate = False # Only needed if LDAP doesn't provide homeDirectory and loginShell attributes fallback_homedir = /home/%u default_shell = /bin/bash