I've got SSSD set up and running (much thanks to you guys for that!) However I'm having some problems with now getting it to filter based on groups. I've tried both LDAP and Simple access providers, but for the sake of troubleshooting I'm sticking with simple for now.
When I run my command I get prompted for a password, it does the password check (will not accept an incorrect one) and them spits out an error:
ssh test@EXAMPLE.COM@serverA's test@EXAMPLE.COM@serverA's password: Connection closed by 256.256.256.256 This is what sssd.log is spitting out:
[simple_access_obtain_filter_lists] (0x0200): Allow users list is empty. [sssd[be[EXAMPLE.COM]]] [simple_access_obtain_filter_lists] (0x0200): Deny users list is empty. [sssd[be[EXAMPLE.COM]]] [simple_access_obtain_filter_lists] (0x0200): Deny groups list is empty. [sssd[be[EXAMPLE.COM]]] [simple_access_check_send] (0x0200): Simple access check for test@EXAMPLE.COM sssd[be[EXAMPLE.COM]]] [simple_check_get_groups_send] (0x1000): Looking up groups for user test@EXAMPLE.COM [sssd[be[EXAMPLE.COM]]] [simple_check_get_groups_send] (0x0020): Invalid user test@EXAMPLE.COM! [simple_access_check_done] (0x0040): Could not collect groups of user test@EXAMPLE.COM [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)] Here's my sssd.conf: [sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE.COM use_fully_qualified_names = False debug_level = 10 access_provider = ldap
[nss] debug_level = 9 filter_users = root,ldap,hacluster,haldaemon,man,messagebus,nobody,polkituser,postfix,postgres,puppet,rsyncguy,sshd,tftp,tomcat,upsd,wwwrun [pam] reconnection_retries = 3 debug_level = 9 [domain/EXAMPLE.COM] re_expression = ((?P<name>.+)|((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) enumerate = False cache_credentials = False id_provider = ldap auth_provider = krb5 access_provider = simple chpass_provider = krb5 dns_discovery_domain = example.com ldap_uri = ldap://ldap.example.com ldap_schema = rfc2307bis # ldap_referrals = False ldap_search_base = dc=example,dc=com ldap_user_principal = krbPrincipalName ldap_user_search_base = ou=people,dc=ls,dc=com ldap_group_search_base = ou=groups,dc=ls,dc=com simple_allow_groups = group-name use_fully_qualified_names = False ldap_user_home_directory = homeDirectory ldap_force_upper_case_realm = True ldap_id_use_start_tls = True ldap_tls_cacert = /etc/cert/example/cert.pem ldap_use_tokengroups = false krb5_realm = EXAMPLE.COM On the same box running this command looks ok:
id test@EXAMPLE.COM uid=5080(test@EXAMPLE.COM) gid=100(users) groups=100(users),1076(group-name) Any ideas on what I'm missing/doing wrong?
[link] [comments]
