Hello SSSD guru's !
Need your advice.
Current configuration on my web-server:
# hostnamectl
____________________________________________________________________________
Operating System: Debian GNU/Linux 8 (jessie)
Kernel: Linux 3.16.0-4-amd64
Architecture: x86-64
# sssd --version
____________________________________________________________________________
1.11.7
# cat /etc/sssd/sssd.conf
____________________________________________________________________________
[sssd]
domains =
ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix =
ad.holding.com
[
domain/ad.holding.com]
ad_server =
dc01.ad.holding.com,
dc02.ad.holding.com
ad_backup_server =
dc05.ad.holding.com,
dc07.ad.holding.com
ad_domain =
ad.holding.com
krb5_realm =
AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_use_tokengroups = False
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = simple
subdomains_provider = none
ldap_idmap_default_domain_sid = S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
simple_allow_groups = SRV-Linux-Servers-Administrators(a)ad.holding.com
# cat /etc/pam.d/common-account | grep sss
____________________________________________________________________________
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# cat /etc/pam.d/common-auth | grep sss
____________________________________________________________________________
auth [success=1 default=ignore] pam_sss.so use_first_pass
# cat /etc/pam.d/common-password | grep sss
____________________________________________________________________________
password sufficient pam_sss.so use_authtok
# cat /etc/pam.d/common-session | grep sss
____________________________________________________________________________
session optional pam_sss.so
Now with this configuration everything is working fine.
Only users of the domain group "SRV-Linux-Servers-Administrators(a)ad.holding.com"
can log in to the server.
Now I need to allow connection to the server (Kerberos SSO to web site on Apache) for
other domain users.
New domain group "SRV-WebServer-Operators(a)ad.holding.com" must connect to the
Apache web server. But these users can not login on the server.
That is, users of group "SRV-WebServer-Operators" are not in group
"SRV-Linux-Servers-Administrators"
Please tell me how, with the help of the SSSD/PAM/NSS, to properly restrict access in this
situation.
So far I've created a custom PAM-service:
# cat /etc/pam.d/apache2-operators
auth required pam_sss.so
account required pam_sss.so
And I set up a web server to use this PAM-service.
Here is a snippet of the working configuration of the web server:
...
<Directory "/sub/folder">
#
# Kerberos SSO auth with PAM authz
#
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/apache2/Apache-AD-Krb.keytab
KrbAuthRealms
AD.HOLDING.COM
KrbMethodK5Passwd off
# Require valid-user
Require pam-account apache2-operators
#
...
</Directory>
...
Access to the site works if the user enters both the group
"SRV-Linux-Servers-Administrators"
But if the user does not belong to group "SRV-Linux-Servers-Administrators" then
he can not connect to the site.
How can I allow a user from group "SRV-WebServer-Operators" to connect to the
site, but not allow logging in to the server?