I'm trying to go through the process of getting a CentOS 7 server to authenticate through AD and having an issue I hoping I can get some help with. I have the need to have AD logins via groups membership and a few local accounts that will need to be able to login. I'll present my original configuration here and then explain the issue.
/etc/sssd/sssd.conf
Code: Select all
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
debug_level = 9
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = Example System Engineers, sg_example_admins
Code: Select all
+ :sg_example_admins,example systems engineers: ALL
- : ALL : ALL
Code: Select all
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account required pam_access.so listsep=,
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
This is the configuration that I was hoping would be correct, but it seems the addtion of listsep in pam_access module in access.conf breaks my configuration and I can log in with any local account. If I remove listsep and the group name with spaces in access.conf all is well besides users with that specific group cannot login.
My next step was to try and disable ldap_id_mapping in /etc/sssd/sssd.conf, but sssd complains with this:
POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled
If anyone has ideas on either how to get the AD group with spaces working in my original setup or how to disable the id mapping and use that to allow access please let me know.
Thanks,
Chris.