Differences between revisions 6 and 7
Revision 6 as of 2021-06-29 04:54:29
Size: 4160
Editor: PieterSmit
Comment:
Revision 7 as of 2021-06-29 04:55:01
Size: 4155
Editor: PieterSmit
Comment:
Deletions are marked like this. Additions are marked like this.
Line 30: Line 30:
Jun 29 04:51:35 arm-p02 sshd[3829]: Accepted password for SmitP from 10.215.143.12 port 43760 ssh2 Jun 29 04:51:35 arm-p02 sshd[3829]: Accepted password for SmitP from 10.1.1.1 port 43760 ssh2

Linux/SssdADauth

  • Using Windows active directory to authenticate Linux users, through sssd

  • Example login failure, in correct group but no local account (User was in wrong ldap_search_base) 

    Jun 29 02:12:20 arm-p02 sshd[25151]: Invalid user Smitxx from 10.x.x.x port 43508
Jun 29 02:12:20 arm-p02 sshd[25151]: input_userauth_request: invalid user Smitxxx [preauth]
Jun 29 02:12:29 arm-p02 sshd[25151]: pam_unix(sshd:auth): check pass; user unknown
Jun 29 02:12:29 arm-p02 sshd[25151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost
Jun 29 02:12:31 arm-p02 sshd[25151]: Failed password for invalid user Smitxxx from 10.x.x.x port 43508 ssh2

  • Test with AD user in correct ldap_search_base but not in correct group ldap_access_filter 

    Jun 29 03:08:07 arm-p02 sshd[2630]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost user=SmitX
Jun 29 03:08:07 arm-p02 sshd[2630]: pam_sss(sshd:account): Access denied for user SmitX: 6 (Permission denied)
Jun 29 03:08:07 arm-p02 sshd[2630]: Failed password for SmitX from 10.2.1.1 port 53288 ssh2
Jun 29 03:08:07 arm-p02 sshd[2630]: fatal: Access denied for user SmitX by PAM account configuration [preauth]

  • Login working User in ldap_search_base and group for ldap_access_filter 

    Jun 29 03:17:27 arm-p02 sshd[4343]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost user=SmitX
Jun 29 03:17:27 arm-p02 sshd[4343]: Accepted password for SmitX from 10.2.1.1 port 55038 ssh2
Jun 29 03:17:57 arm-p02 sshd[4343]: pam_systemd(sshd:session): Failed to create session: Connection reset by peer
Jun 29 03:17:57 arm-p02 sshd[4343]: pam_unix(sshd:session): session opened for user SmitX by (uid=0)
...
Jun 29 03:21:30 arm-p02 sshd[4343]: pam_unix(sshd:session): session closed for user SmitX

  • Login working, faster after os upgrade 

    Jun 29 04:51:35 arm-p02 sshd[3829]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=jumphost user=SmitX
Jun 29 04:51:35 arm-p02 sshd[3829]: Accepted password for SmitP from 10.1.1.1 port 43760 ssh2
Jun 29 04:51:35 arm-p02 systemd[1]: Created slice User Slice of SmitX.
Jun 29 04:51:35 arm-p02 systemd-logind[1950]: New session 5 of user SmitX.
Jun 29 04:51:35 arm-p02 systemd[1]: Started Session 5 of user SmitX.
Jun 29 04:51:35 arm-p02 sshd[3829]: pam_unix(sshd:session): session opened for user SmitX by (uid=0)

Config example

  • # cat /etc/sssd/sssd.conf 

    [sssd]
config_file_version = 2
domains = my.domain.com
services = nss, pam
full_name_format = %1$s

[nss]

[pam]

[domain/my.domain.com]
id_provider = ldap
access_provider = ldap
ldap_access_filter = (memberOf=CN=Auth-Group,OU=Security,OU=Groups,OU=Production,DC=my,DC=domain,DC=com)
cache_credentials = True
ldap_uri = ldaps://ad-server.my.domain.com:636
ldap_search_base = OU=Business Users,OU=Users,OU=Production,DC=my,DC=domain,DC=com
ldap_schema = AD
ldap_default_bind_dn = CN=svc_AcctLinuxLDAP,OU=Service Accounts,OU=Users,OU=Production,DC=my,DC=domain,DC=com
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAAxxxx...xxxxw==

# Obtain the CA root certificate for your LDAPS connection.
ldap_tls_cacert = /etc/pki/tls/certs/cacerts.pem
ldap_tls_reqcert = allow

# AWS SimpleAD doesn't provide a way to download
# the CA root certificate at the moment.
# This setting disables cert verification.
#ldap_tls_reqcert = allow

# Only if the LDAP directory doesn't provide uidNumber and gidNumber attributes
ldap_id_mapping = True

# Consider setting enumerate=False for very large directories
enumerate = False

# Only needed if LDAP doesn't provide homeDirectory and loginShell attributes
fallback_homedir = /home/%u
default_shell = /bin/bash

  • Create obfuscated bind DN password in config file above with 

    sss_obfuscate --domain my.domain.com

  • Enable sssd authentication 

    authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall

CategoryLinux

Linux/SssdADauth (last edited 2021-06-29 04:58:17 by PieterSmit)