You are not logged in.
I'm in the process of using Active Directory as a centralized login management for various Windows and Linux machines. I joined the domain with
realm join -v --user=Administrator --computer-ou=OU=Linux-Servers --os-name=ArchLinux ad.example.com. I was able to setup Ubuntu using realmd, sssd, and ad on another machine and I see logs that indicate it is fetching the GPO policies like:
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_sd_process_attrs] (0x4000): [RID#41] populating attrs for gpo_guid: {CA8FD4EE-6C1D-4C02-925C-2841BB97B980}
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_extract_smb_components] (0x4000): [RID#41] input_path: \\ad.example.com\SysVol\ad.example.com\Policies\{CA8FD4EE-6C1D-4C02-925C-2841BB97B980}
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_sd_process_attrs] (0x4000): [RID#41] smb_server: smb://dc.ad.example.com
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_sd_process_attrs] (0x4000): [RID#41] smb_share: /SysVol
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_sd_process_attrs] (0x4000): [RID#41] smb_path: /ad.example.com/Policies/{CA8FD4EE-6C1D-4C02-925C-2841BB97B980}
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_sd_process_attrs] (0x4000): [RID#41] gpo_func_version: 2
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_sd_process_attrs] (0x4000): [RID#41] gpo_flags: 0
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_parse_machine_ext_names] (0x4000): [RID#41] num_gpo_cse_guids: 1
* (2022-10-03 11:25:30): [be[ad.example.com]] [ad_gpo_parse_machine_ext_names] (0x4000): [RID#41] gpo_cse_guids[0] is {C6DC5466-785A-11D2-84D0-00C04FB169F7}but I can't find similar lines on my Arch machine and /var/log/sssd/gpo_child.log doesn't exist at all.
When I uncomment my ad_access_filter on Ubuntu and try to login with an account that doesn't match, I get logs like:
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_account_expired_ad] (0x0400): [RID#6] Performing AD access check for user [deny_user@ad.example.com]
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_account_expired_ad] (0x4000): [RID#6] User account control for user [deny_user@ad.example.com] is [10200].
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_account_expired_ad] (0x4000): [RID#6] Expiration time for user [deny_user@ad.example.com] is [9223372036854775807].
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_access_filter_send] (0x0400): [RID#6] Performing access filter check for user [deny_user@ad.example.com]
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_access_filter_send] (0x0400): [RID#6] Checking filter against LDAP
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_id_op_connect_step] (0x4000): [RID#6] reusing cached connection
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_print_server] (0x2000): [RID#6] Searching 192.168.0.5:3268
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#6] calling ldap_search_ext with [(&(sAMAccountName=deny_user)(objectclass=user)(memberOf=CN=Linux-Users,CN=Users,DC=ad,DC=example,DC=com))][CN=Deny User Test,OU=Support,DC=ad,DC=example,DC=com].
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_get_generic_ext_step] (0x2000): [RID#6] ldap_search_ext called, msgid = 3
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_op_add] (0x2000): [RID#6] New operation 3 timeout 6
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_process_result] (0x2000): Trace: sh[0x562d1acc60d0], connected[1], ops[0x562d1ac8bd40], ldap[0x562d1aca66d0]
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_process_message] (0x4000): [RID#6] Message type: [LDAP_RES_SEARCH_RESULT]
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_get_generic_op_finished] (0x0400): [RID#6] Search result: Success(0), no errmsg set
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_op_destructor] (0x2000): [RID#6] Operation 3 finished
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_id_op_done] (0x4000): [RID#6] releasing operation connection
* (2022-10-03 12:34:51): [be[ad.example.com]] [sdap_access_filter_done] (0x0100): [RID#6] User [deny_user@ad.example.com] was not found with the specified filter. Denying access.And when I try to login (su deny_user) with a user that doesn't have access to that machine (same GPO for both Ubuntu and Arch boxes, assigned by AD Computer) it works as expected. When I try to login with a valid user it works as expected.
On Arch I was able to join the computer using realmd (from the AUR) and can login using a domain user. The trouble is that I can login as any active domain user. It never starts a gpo_child process. When I use ad_access_filter with id_provider = ad and access_provider = ad, that filter never gets used (debug_level = 9 in the domain/ad.example.com section). When I switch to using ldap_access_filter, that one isn't used. With ad_gpo_implicit_deny = true there's no change. I'm also not seeing any log lines with
grep -Rni smb /var/log/sssdwhile I get plenty on Ubuntu as it populates with the GPO. I haven't tried the simple provider because I need to enforce account validity and expiration. I'm using the same sssd.conf, and krb5.conf between Ubuntu and Arch.
I'm wondering if there is some issue with the sssd package where it never calls the routines to filter out valid users via the *_access_filter or looking at GPOs. Has anyone else gotten sssd working with ad GPO or ad_access_filter with sssd 2.7.4-2?
/etc/sssd/sssd.conf
[sssd]
domains = ad.example.com
config_file_version = 2
services = nss, pam, ssh
default_domain_suffix = ad.example.com
[domain/ad.example.com]
default_shell = /usr/bin/zsh
debug_level = 9
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AD.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = ad.example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
#ad_access_filter = (memberOf=CN=Linux-Users,CN=Users,DC=ad,DC=example,DC=com)
ad_gpo_implicit_deny = true/etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.COM
udp_preference_limit = 0Last edited by Erroneous (2022-10-03 22:07:37)
Offline
Ok I solved it. The issue was the pam configuration I was using did not evaluate pam_sss.so anywhere in the account section.
Adding the following fixed it:
account [default=bad success=ok user_unknown=ignore] pam_sss.soOffline