1
I am currently trying to have a Linux server (Red Hat Enterprise 7.6) to authenticate users based on a Microsoft Active Directory. The idea would be to allow the users to connect via SSH to upload documents to their personal website without giving them access to a shell.
To cut the story short, we are a school and we want to provide access to a personal dedicated folder to our students.
I am trying to use SSSD which sounds promising. I am able to join the domain and, when I increase the log level I see the users being cached on my linux server. I have meticulously followed the Red Hat documentation and most of the posts discussing the usage of SSSD but I might be missing something somewhere. I wanted to progress gradually and, before getting SSH involved I wanted to first try to authenticate a user locally on a console (not through SSH). The user is not configured as a local user. It is only defined in the Active Directory.
But it fails with the following message in /var/log/secure:
Dec 10 09:42:05 svx-pub-01 login: pam_unix(login:auth): check pass; user unknown
Dec 10 09:42:05 svx-pub-01 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Dec 10 09:42:07 svx-pub-01 login: FAILED LOGIN 1 FROM tty1 FOR (unknown), User not known to the underlying authentication module
As far as I understand, the sssd is not involved in the authentication here and I would like to understand why.
I know that my future goal is to authenticate the users via SSH but I first want to make a very simple local test... So I have defined a default shell in the sssd.conf file. The only value that I have modified for confidentiality purpose id "mydomain.com" which is not the real value :)
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
debug_level = 7
[domain/mydomain.com]
ad_server = svw-dc-00.mydomain.com
ad_domain = mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 7
[pam]
debug_level = 7
[ssh]
Here is the /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
}
[domain_realm]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
Here is the /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
And the /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_sss.so
session required pam_unix.so
Thanks a lot in advance for your valuable input.
Can you query the user information via nsswitch (using
id <name>
,getent passwd <name>
,getent -s sss passwd <name>
)? What is the user's UID? – user1686 – 2018-12-10T09:15:20.047The command
id <name>
givesid: <name>: no such user
and the commandgetent passwd <name>
retrurns nothing, not even a message. – P. Herman – 2018-12-10T09:22:50.590When I enter the command
realm join -U <user> ads.mydomain.com
it saysrealm: Already joined to this domain
– P. Herman – 2018-12-10T10:00:13.853But! When type
getent -s sss passwd <user>@mydomain.com
I receive an answer like:<user>@mydomain.com:*:153324743:153200513:Lastname Firstname:/home/<user>@mydomain.com:/bin/bash
How is it possible to get rid of the "@" when I proceed to the login because it make the console login impossible – P. Herman – 2018-12-10T10:16:03.410