嵌套AD组不受SSSD的尊重
嵌套AD组不受SSSD的尊重
提问于 2022-04-06 20:37:10
我有一个域连接服务器,配置为sssd。在sssd.conf中我使用
ad_access_filter = (memberof=CN=CustomGroup,OU=Security Group,DC=company,DC=com)
这对于CustomGroup中的用户很好,但对于作为CustomGroup成员的Nested_CustomGroup组中的用户则不适用。
我的sssd.conf看起来如下:
[sssd]
domains = company.com
config_file_version = 2
services = nss, pam
[domain/company.com]
ad_domain = company.com
krb5_realm = COMPANY.COM
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ignore_group_members = False
ldap_group_nesting_level = 2
use_fully_qualified_names = False
fallback_homedir = /home/%u
case_sensitive = false
access_provider = ad
auth_provider = ad
enumerate = false
ad_gpo_access_control = disabled
ad_access_filter = (memberof=CN=CustomGroup,OU=Security Group,DC=company,DC=com)用户从嵌套组登录时的sshd日志日志:
server sshd[30781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=someuser
server sshd[30781]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=someuser
server sshd[30781]: pam_sss(sshd:account): Access denied for user someuser: 6 (Permission denied)
server sshd[30781]: Failed password for someuser from x.x.x.x port 26241 ssh2
server sshd[30781]: fatal: Access denied for user someuser by PAM account configuration [preauth]有什么想法吗?谢谢,
回答 1
Server Fault用户
发布于 2022-04-07 01:49:55
为了在LDAP语法中针对Active Directory查询帐户的递归或嵌套组成员,需要使用OID 1.2.840.113556.1.4.1941,这是用于LDAP_MATCHING_RULE_IN_CHAIN或LDAP_MATCHING_RULE_TRANSITIVE_EVAL的OID
在这种情况下,需要将访问筛选器调整为
(memberOf:1.2.840.113556.1.4.1941:=CN=CustomGroup,OU=Security Group,DC=company,DC=com)页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1097985
复制相关文章
相似问题
腾讯云开发者
