Hi All.
I’m trying to craft a configuration (on RHEL7, sssd-1.13.0-40.el7_2.12.x86_64) that will
offer the following:
- authenticate a specific application (‘app’) via PAM/sssd to our AD directory
(
EXAMPLE.COM)
- authenticate everything else (in particular, sshd) via PAM/sssd to our UNIX-based
Kerberos/LDAP directory (
UNIXAUTH.EXAMPLE.COM)
Note that users have the same username in both directories, but have different passwords
and different group membership.
The config I’m using to achieve this is:
----------
[sssd]
config_file_version = 2
services = nss, pam
domains =
example.com,
unixauth.example.com
[nss]
filter_groups = root
filter_users = root
default_shell = /bin/bash
override_homedir = /home/%u
[pam]
[
domain/example.com]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = permit
cache_credentials = true
ldap_idmap_range_size = 200000000
dyndns_update = false
ignore_group_members = true
debug_level = 7
[
domain/unixauth.example.com]
debug_level = 9
id_provider = ldap
auth_provider = krb5
access_provider = ldap
chpass_provider = none
sudo_provider = none
authfs_provider = none
dns_discovery_domain =
unixauth.example.com
lookup_family_order = ipv4_only
enumerate = true
ldap_uri = _srv_
ldap_default_bind_dn = cn=UNIX Manager,ou=admin,o=example
ldap_default_authtok = XXXXXXXXXXXXXXX
ldap_id_use_start_tls = true
ldap_access_filter = (isMemberOf=cn=systems,ou=roles,o=example)
ldap_user_search_base =
ou=people,o=example?subtree?(|(isMemberOf=cn=systems,ou=roles,o=example))
ldap_group_search_base = ou=unix,o=example
ldap_schema = rfc2307
ldap_tls_reqcert = never
ldap_tls_cacertfile = /etc/openldap/cacerts/unixauth-ca-bundle.crt
# Get all the settings from /etc/krb5.conf
krb5_realm =
UNIXAUTH.EXAMPLE.COM
—————
In addition, I’m specifying:
- ‘pam_sss.so […] domains=example.com’ in /etc/pam.d/app
- ‘pam_sss.so […] domains=unixauth.example.com’ in /etc/pam.d/system-auth
This configuration works to a point. The ‘app’ auth works correctly using AD credentials.
However, although I can ssh-in to the host with my ‘unixauth.example.com’ credentials
successfully as I want, my *group* membership is coming from AD (
example.com) *instead of*
LDAP (
unixauth.example.com)!
Should it be possible to setup the configuration I describe? If so, are there some
settings I’m missing to make this work?
Regards,
Robert.