Hi,
On Thu, Jul 7, 2022 at 12:14 PM Fisher, Philip phil.fisher@dxc.com wrote:
Hi SSSD experts
I have tried examining various documentation and man pages but I am unable to determine the answer. Specifically, for security reasons, we require user on our Linux servers to login via AD credentials only (unless they are a specific local user). In particular, if the provider is offline/not available (in this case an AD server/servers) then login should fail.
Sounds like `cache_credentials = false`? (see `man sssd.conf`)
I thought it would be possible by setting various "cache" parameters but the documentation suggests that zero (0) is not a useful value.
So, can this be done? And if so, how? And if I missed some simple thing in the documentation a reply pointing me to said documentation would be acceptable :-).
Thanks. Phil
-- Phil J Fisher UNIX Technology Consultant
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Thu, Jul 7, 2022 at 6:21 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Thu, Jul 7, 2022 at 12:14 PM Fisher, Philip phil.fisher@dxc.com wrote:
In particular, if the provider is offline/not available (in this case an AD server/servers) then login should fail.
Sounds like `cache_credentials = false`? (see `man sssd.conf`)
Moreover, `cache_credentials = false` is the default, so unless this is overridden, attempts to login will fail if the AD KDCs are not available.
We can confirm that this is the case: we don’t override cache_credentials, and if something breaks network connectivity for a host, we can only login on the console with an account with a local password (e.g. root); attempting to login with an account that requires AD/Kerberos authentication fails.
Thank you both -- cannot believe I failed to see that option :-(. But at least you have cleared up the meaning as it was (IMO) slightly ambiguously phrased.
Phil
-- Phil J Fisher UNIX Technology Consultant
-----Original Message----- From: James Ralston ralston@pobox.com Sent: 07 July 2022 17:48 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Can SSSD be set up to disallow login if provider not available?
On Thu, Jul 7, 2022 at 6:21 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Thu, Jul 7, 2022 at 12:14 PM Fisher, Philip phil.fisher@dxc.com wrote:
In particular, if the provider is offline/not available (in this case an AD server/servers) then login should fail.
Sounds like `cache_credentials = false`? (see `man sssd.conf`)
Moreover, `cache_credentials = false` is the default, so unless this is overridden, attempts to login will fail if the AD KDCs are not available.
We can confirm that this is the case: we don’t override cache_credentials, and if something breaks network connectivity for a host, we can only login on the console with an account with a local password (e.g. root); attempting to login with an account that requires AD/Kerberos authentication fails. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://clicktime.symantec.com/15tStaBhiiVCz9My4UY59?h=r3BovLSJswnnSQUawdVjK... List Guidelines: https://clicktime.symantec.com/15tSyQNzBLAoQ6Btc2wDm?h=IvpQ1w1Ios0MOtSIvQkuM... List Archives: https://clicktime.symantec.com/15tT4EaGdwrPp31p9bLNP?h=xlEJW-wKLhTMqs3PF3R0d... Do not reply to spam on the list, report it: https://clicktime.symantec.com/15tT94mZ6ZXzDyqjh9jX1?h=29AasCzmx5bNbB9jMd4v8...
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
sssd-users@lists.fedorahosted.org