Centos limit logins by AD group with spaces

Support for security such as Firewalls and securing linux
Post Reply
claforce
Posts: 2
Joined: 2018/05/22 14:27:33

Centos limit logins by AD group with spaces

Post by claforce » 2018/05/22 16:14:28

Hello,
I'm trying to go through the process of getting a CentOS 7 server to authenticate through AD and having an issue I hoping I can get some help with. I have the need to have AD logins via groups membership and a few local accounts that will need to be able to login. I'll present my original configuration here and then explain the issue.

/etc/sssd/sssd.conf

Code: Select all

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam

[domain/example.com]
debug_level = 9
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = Example System Engineers, sg_example_admins
/etc/security/access.conf

Code: Select all

+ :sg_example_admins,example systems engineers: ALL
- : ALL : ALL
/etc/pam.d/ssshs

Code: Select all

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    required     pam_access.so listsep=,
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

This is the configuration that I was hoping would be correct, but it seems the addtion of listsep in pam_access module in access.conf breaks my configuration and I can log in with any local account. If I remove listsep and the group name with spaces in access.conf all is well besides users with that specific group cannot login.

My next step was to try and disable ldap_id_mapping in /etc/sssd/sssd.conf, but sssd complains with this:

POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled

If anyone has ideas on either how to get the AD group with spaces working in my original setup or how to disable the id mapping and use that to allow access please let me know.

Thanks,

Chris.

hunter86_bg
Posts: 1315
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Centos limit logins by AD group with spaces

Post by hunter86_bg » 2018/05/24 03:52:32

Can you try to replace spaces with '_' ?

claforce
Posts: 2
Joined: 2018/05/22 14:27:33

Re: Centos limit logins by AD group with spaces

Post by claforce » 2018/05/24 11:33:39

Are you implying to replace the spaces with underscores in Active Directory or in the /etc/security/access.conf config file? I'm fairly certain renaming the group in AD would work, but wanted to see if there was a way around it if I could.
Thanks,

Chris.

tunk
Posts: 376
Joined: 2017/02/22 15:08:17

Re: Centos limit logins by AD group with spaces

Post by tunk » 2018/05/24 11:54:33

I don't know if this works here, but if you e.g. want to copy a file with a space in it you can use one of these:
cp test\ .txt /to/some/location
cp "test .txt" /to/some/location

Post Reply