On 25 Jan 2022, at 02:36, Dudas Tibor ABRAXAS
<Tibor.Dudas(a)abraxas.ch> wrote:
Hi,
I can resolve my netgroup user via getent and can login with her on my 389ds client via
ssh.
What does not work, yet, is to exclude all other users.
The Config is:
getent netgroup sysadmin
sysadmin ( ,eve,)
cat /etc/security/access.conf
+:root:LOCAL
+:root:ALL
+:@sysadmin:ALL
-:ALL:ALL EXCEPT LOCAL
Cat /etc/pam.d/system-auth
…
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
cat =/etc/security/access.netgroup.conf
+:root:LOCAL
+:root:ALL
+:@sysadmin:ALL
-:ALL:ALL EXCEPT LOCAL
The client logs say, when I try to login with user alice from my 389ds, not belonging to
my netgroup sysadmin:
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400):
Searching for groups with base [ou=groups,dc=example,dc=com]
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups,
dc=example,dc=com].
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search
for groups, returned 0 results.
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such
entry
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No
such file or directory)
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account
#48]: Request handler finished [0]: Success
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account
#48]: Receiving request data.
(Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP
Request [Account #48]: Finished. Success.
The client does not even look for netgroups, but lets everyone pass. What did I miss?
You probably don't want pam_access here, since netgroups are not an LDAP thing.
You can have the same effect with ldap access filter in sssd.conf, and then using pam_sss
in the account line of pam.
Any help is appreciated.
Kind regards, Tibor
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia