search for: access_provider

...2016) [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running callbacks. my sssd configuation is bellow [sssd] config_file_version = 2 domains = xxx.xxx services = nss, pam debug_level = 5 [nss] [pam] [domain/xxx.xx] ldap_referrals = false enumerate = true id_provider = ldap #access_provider = ldap auth_provider = ldap ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 ldap_id_use_start_tls = False ldap_auth_disable_tls_never_use_in_production = true ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx ldap_default_authtok_type = password ldap_default_authtok = xxxxxxxx ldap_schema = rfc230...

...xxx.xxx > > services = nss, pam > > debug_level = 5 > > > > > > [nss] > > > > > > [pam] > > > > > > [domain/xxx.xx] > > ldap_referrals = false > > enumerate = true > > > > id_provider = ldap > > #access_provider = ldap > > auth_provider = ldap > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > > ldap_id_use_start_tls = False > > ldap_auth_disable_tls_never_use_in_production = true > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > > ldap_default_authtok_type = pa...

...box. ldap works fine. I can login there as an usual user registred in ldap. I want now restrict the access with ldap's host attribute. This is beeing ignored. Still every ldap user can login, no matter what the host attribute says. I googled around and only found that sssd.conf need two lines: access_provider = ldap ldap_access_order = host So i do not understand why it is not working. I append to this e-mail: /etc/sssd/sssd.conf /etc/ldap.conf /etc/pamd.d/ssh Can somebody give me hints what could be wrong? With kind reagards and thanks a lot in advance, Ulrich /etc/sssd/sssd.conf: -----------------...

...e2:*:3000034:20513:steve2:/home/users/steve2:/bin/bash and getent group Domain\ Users Domain Users:*:20513: work fine. /etc/nsswitch.conf passwd: compat sss group: compat sss /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] access_provider = simple #simple_allow_users = myuser enumerate = false cache_credentials = True id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = HH3.SITE krb5_server = hh16.hh3.site krb5_kpasswd = hh16.hh3.site ldap_uri = ldap://hh16.hh3.site/ ldap_search_base = dc=hh3,dc=site ldap_tls_...

...yuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pa...

...; >>>> [nss] >>>> >>>> >>>> [pam] >>>> >>>> >>>> [domain/xxx.xx] >>>> ldap_referrals = false >>>> enumerate = true >>>> >>>> id_provider = ldap >>>> #access_provider = ldap >>>> auth_provider = ldap >>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 >>>> ldap_id_use_start_tls = False >>>> ldap_auth_disable_tls_never_use_in_production = true >>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx >&...

..._uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap krb5_realm = # [autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authori...

...ss these two machines. In case anyone needs it, my sssd.conf is very simple. I'm using the standard sssd that comes with CentOS 6.6 (which is 1.11.6). Conf file is: [sssd] config_file_version = 2 domains = domain.tld services = nss, pam [domain/domain.tld] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ldap_id_mapping = True ldap_schema = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein

On 05/12/2015 06:25 AM, Ulrich Hiller wrote: > > i have set logging in sssd to 9: 7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was denied login: ----- (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_initgr_next_base] (0x04...

Ulrich Hiller wrote: > that's intersting. "performing access check" is really missing. > > also the "sdap_access" lines are not there. Therefore i do have: > > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_filter has no value > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400):

Ulrich Hiller wrote: > i thought this too. > I think this: > > access_provider = ldap > ldap_access_filter = memberOf=host=does-not-exist-host > ldap_access_order = filter > ldap_user_authorized_host = host > > must confuse sssd so much that it denies login. But the user without > host attribute can still login. > Wait - are you saying that it didn't...

...iguation is bellow > > [sssd] > config_file_version = 2 > domains = xxx.xxx > services = nss, pam > debug_level = 5 > > > [nss] > > > [pam] > > > [domain/xxx.xx] > ldap_referrals = false > enumerate = true > > id_provider = ldap > #access_provider = ldap > auth_provider = ldap > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > ldap_id_use_start_tls = False > ldap_auth_disable_tls_never_use_in_production = true > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > ldap_default_authtok_type = password > ldap_default_autht...

...services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://dc01.auth.domain.com ldap_search_base = dc=auth,dc=domain,dc=com ldap_force_upper_case_realm = true # See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_a...

...ant store sudoers in LDAP, and use sssd for get rules from LDAP. I was configured sssd.conf [sssd] config_file_version = 2 services = nss, pam, sudo user = _sssd domains = TEST.ALT [nss] [sudo] [pam] [domain/TEST.TLD] dyndns_update = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u debug_level = 0 ad_gpo_ignore_unreadable = true ad_gpo_access_control = permissive ad_update_samba_machine_account_password = true cache_credentials = false sudo_provider = ad ldap_sudo_search_base = ou=sudoers, dc=test, dc=tld and? nss...

...t = entry_cache_timeout = 5400 entry_cache_user_timeout = 10 entry_cache_group_timeout = 10 # Using id_provider=ad sets the best defaults on its own id_provider = ad # In sssd, the default access provider is always 'permit'. The AD access # provider by default checks for account expiration access_provider = ad # Uncomment to use POSIX attributes on the server ldap_id_mapping = true # Uncomment if the client machine hostname doesn't match the computer object on the DC. #ad_hostname = invisad.invis-ad.loc # Uncomment if DNS SRV resolution is not working #ad_server = invisad.invis-ad.loc # Unc...

...redentials cache file '/run/user/$UID$/krb5cc/tkt' not found. So the ticket cache is not created during logon. I'm using sssd with the following sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = $DOMAINNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_keytab=/etc/krb5.keytab And sshd with to following sshd_config: AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck no GSSAPIStoreCredentialsOnRekey yes UsePAM yes X1...

...: [objectClass]" and "Requesting attrs: [host]" are in the logfile. So there is no access check apart from username and password check - otherwise i would not have been able to login. The question is why doesn't it perform these checks. Just to repete: My sssd.conf contains access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host I read something about "pam_check_host_attr" in /etc/ldap.conf But this does not help in my /etc/openldap/ldap.conf (already tested). Any idea is still welcome. With kind regards, ulrich On 05/12/2015 07:45 PM, Gordon...

...ve authentication info) Finally, here is my sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = default # enable or disable the below # debug_level = 3 # debug_level = 5 debug_level = 8 [nss] [pam] [domain/default] debug_level = 8 ldap_schema = rfc2307bis id_provider = ldap access_provider = simple ldap_referrals = false ldap_force_upper_case_realm = true # on large directories, you may want to disable enumeration for performance reasons # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM krb5_realm = SAM...

...5 > > > > > > > > > [nss] > > > > > > > > > [pam] > > > > > > > > > [domain/xxx.xx] > > > ldap_referrals = false > > > enumerate = true > > > > > > id_provider = ldap > > > #access_provider = ldap > > > auth_provider = ldap > > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > > > ldap_id_use_start_tls = False > > > ldap_auth_disable_tls_never_use_in_production = true > > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > > >...

...sd.conf > > [sssd] > config_file_version = 2 > services = nss, pam, sudo > user = _sssd > domains = TEST.ALT > > [nss] > [sudo] > [pam] > > [domain/TEST.TLD] > dyndns_update = true > id_provider = ad > auth_provider = ad > chpass_provider = ad > access_provider = ad > default_shell = /bin/bash > fallback_homedir = /home/%d/%u > debug_level = 0 > ad_gpo_ignore_unreadable = true > ad_gpo_access_control = permissive > ad_update_samba_machine_account_password = true > cache_credentials = false > sudo_provider = ad > ldap_sudo_search...