Tuesday, January 25, 2022

[389-users] Re: ssh does not see my access.conf

Thanks, you are right: It works with the memberof-Plugin and ldap access filter.

Is there a way to make it work with netgroups? We have it set up like that in our OpenLDAP and would have to migrate everything, otherwise.

According to the documentation it should work:
https://directory.fedoraproject.org/docs/389ds/howto/howto-netgroups.html


Thanks for your answer,
Tibor


-----Ursprüngliche Nachricht-----
Von: William Brown <william.brown@suse.com>
Gesendet: Dienstag, 25. Januar 2022 00:24
An: 389-users@lists.fedoraproject.org
Betreff: [389-users] Re: ssh does not see my access.conf



> On 25 Jan 2022, at 02:36, Dudas Tibor ABRAXAS <Tibor.Dudas@abraxas.ch> wrote:
>
> Hi,
>
> I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh.
>
> What does not work, yet, is to exclude all other users.
>
> The Config is:
> getent netgroup sysadmin
> sysadmin ( ,eve,)
>
> cat /etc/security/access.conf
> +:root:LOCAL
> +:root:ALL
> +:@sysadmin:ALL
> -:ALL:ALL EXCEPT LOCAL
>
> Cat /etc/pam.d/system-auth
> …
> account required pam_access.so
> accessfile=/etc/security/access.netgroup.conf
>
> cat =/etc/security/access.netgroup.conf
> +:root:LOCAL
> +:root:ALL
> +:@sysadmin:ALL
> -:ALL:ALL EXCEPT LOCAL
>
> The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin:
> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]]
> [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com].
> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]]
> [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24
> 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error:
> 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data.
> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success.
>
> The client does not even look for netgroups, but lets everyone pass. What did I miss?

You probably don't want pam_access here, since netgroups are not an LDAP thing.

You can have the same effect with ldap access filter in sssd.conf, and then using pam_sss in the account line of pam.

>
> Any help is appreciated.
>
> Kind regards, Tibor
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org To
> unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr
> oject.org Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management SUSE Labs, Australia

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment