Am Thu, Jul 11, 2024 at 05:53:56PM +0100 schrieb Steve Scotter:
Hi,
This is likely a newbie issue and I apologize in advance. I've only been working with sssd for a matter of weeks and until I hardened Active Directory (as a result of an internal penetration test) sssd had been reliable and robust.
Over the past few days I've been harding an Active Directory in a testing environment. It seems as though removing "Authenticated Users" from "Pre-Windows 2000 Compatible Access" (as is recommended best practice) breaks sssd's ability to perform group enumeration.
With "Authenticated Users" in "Pre-Windows 2000 Compatible Access" group
# id firstname.lastname uid=XXXXX01148(firstname.lastname) gid= XXXXX00513(domain users) groups=XXXXX01605(redactedgroup1),XXXXX01267(redactedgroup2),XXXXX02621(redactedgroup3),XXXXX01230(redactedgroup4),XXXXX00513(domain users),XXXXX01154(redactedgroup5),XXXXX01257(redactedgroup6),XXXXXX01307(redactedgroup7),XXXXX01156(redactedgroup8),XXXXX01111(redactedgroup9)
With "Authenticated Users" removed from the "Pre-Windows 2000 Compatible Access" group
# id firstname.lastname uid=XXXXX01148(firstname.lastname) gid=XXXXX00513(domain users) groups=XXXXX00513(domain users)
Hi,
to be able to determine the group memberships of a user the `memberOf` attribute must be read. Since SSSD in your configuration is using the tokenGroups request I guess 'tokenGroupsGlobalAndUniversal' must be allowed as well.
When joining AD a computer account for the client is created which SSSD is using to authenticate against AD to do LDAP searches. So I guess if you would add the 'Domain Computers' group (or a group which contains all SSSD clients) to 'Pre-Windows 2000 Compatible Access' after removing 'Authenticated User' and restart SSSD (or wait for about 20 minutes because SSSD should be default reconnect to AD every 15 minutes) the group list is hopefully shown again.
As an alternative you can try to give permissions to the group of SSSD clients to read the mentioned attributes explicitly. But this might be a bit try and error because I not sure if the two mentioned are sufficient of if more are needed.
HTH
bye, Sumit
I've had a good rummage around the internet, but not found a solution, or even anyone else reporting this issue before.
Any help gratefully received!
Active Directory is Windows Server 2022 based.
Test client machines Debian 12 - sssd v2.8.2-4 Ubuntu 22 - sssd v2.6.3-1ubuntu3.3
# cat /etc/sssd/sssd.conf
[sssd] domains = redacted.co.uk config_file_version = 2 services = nss, pam default_domain_suffix = redacted.co.uk full_name_format = %1$s
[domain/redacted.co.uk] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = REDACTED.CO.UK realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u override_homedir = /home/%u ad_domain = redacted.co.uk use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad # So that ssh public keys works when a users key is stored in altSecurityIdentities ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities ldap_user_ssh_public_key = altSecurityIdentities # Removes requirement for host to communicate with DC's over port 445 ad_gpo_access_control = disabled # Removes requirement for host to communicate with DC's over port 3268 ad_enable_gc = false
Kind Regards
Steve
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue