Hi, Jakub
Thanks for your reply. I have changed domain section according to your words. No success.
Now I cannot even log on to the system via SSH.
[root@testlinux ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains =
example.com
services = nss, pam
debug_level = 0x2000
[nss]
override_shell = /bin/bash
override_homedir = /home/%d/%u
debug_level = 0x2000
[pam]
debug_level = 0x2000
[
domain/example.com]
id_provider = ad
access_provider = ldap
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = TESTLINUX$(a)EXAMPLE.COM
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
ldap_referrals = false
ldap_id_mapping = true
ldap_force_upper_case_realm = true
ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com
cache_credentials = false
debug_level = 0x2000
[root@testlinux ~]# ssh domainuser(a)127.0.0.1
domainuser(a)127.0.0.1's password:
Connection closed by 127.0.0.1
And again log files are attached
Best regards,
Vladimir Akhmarov
On 08.08.2013, at 13:41, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> On Thu, Aug 08, 2013 at 12:45:31PM +0400, Vladimir Akhmarov wrote:
>> Hello,
>>
>> I have a strange problem using new "id_provider = ad" and
"ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com"
option. The problem is that I always can log on to the system no matter the user is member
of the ldap_filter group or not. I want to filter out all domain users except those that
are member of special group named "Linux Admins". Please help me to resolve this
issue. In the attachment there are sssd logs.
>>
>> Here are some technical info:
>>
>> Active Directory 2008 R2
>> CentOS 6.4
>>
>> [root@testlinux ~]# uname -a
>> Linux testlinux 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013
x86_64 x86_64 x86_64 GNU/Linux
>>
>> [root@testlinux ~]# sssd --version
>> 1.9.2
>>
>> [root@testlinux ~]# cat /etc/krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm =
EXAMPLE.COM
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac
>> default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac
>> permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac
>>
>> [realms]
>>
EXAMPLE.COM = {
>> }
>>
>> [domain_realm]
>>
example.com =
EXAMPLE.COM
>> .example.com =
EXAMPLE.COM
>>
>> [root@testlinux ~]# cat /etc/samba/smb.conf
>> [global]
>> workgroup = EXAMPLE
>> realm =
EXAMPLE.COM
>> security = ads
>> client signing = yes
>> client use spnego = yes
>> kerberos method = secrets and keytab
>> password server = *
>>
>> [root@testlinux ~]# cat /etc/sssd/sssd.conf
>> [sssd]
>> config_file_version = 2
>> domains =
example.com
>> services = nss, pam
>> debug_level = 0x2000
>>
>> [nss]
>> override_shell = /bin/bash
>> override_homedir = /home/%d/%u
>> debug_level = 0x2000
>>
>> [pam]
>> debug_level = 0x2000
>>
>> [
domain/example.com]
>> id_provider = ad
>> access_provider = ad
>> auth_provider = ad
>> chpass_provider = ad
>> ldap_schema = ad
>> ldap_referrals = false
>> ldap_id_mapping = true
>> ldap_force_upper_case_realm = true
>> ldap_filter = memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com
>> cache_credentials = false
>> debug_level = 0x2000
Are you sure the user you are logging in as is a member of Linux Admins?
Can you send another round of logs this time with debug_level = 7 ?