pam_access.so group restrictions anot working with sssd/realmd
Hey folks
I have set up a machine to use Active Directory. Joining with the realm command is fantastic. I can log in, and everything is rosey.
However I want to restrict access to two specfic groups, and started following:
https://access.redhat.com/solutions/70472
However the pam_access.so doesn't seem to be working. Here is my configs:
Relevant snip from system-auth:
account required pam_access.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
Relevant snip from access.conf:
+ : domain.ie\git-admin : ALL
+ : domain.ie\git-users : ALL
+ : root : ALL
- : ALL : ALL
Responses
Brian,
I personally moved away from using access.conf / pam_access.so.
I use (and much prefer) the simple access provider which is configured in the domain section of your sssd.conf file. The benefit is it's integrated into sssd and easily achieves what you have outlined without touching PAM.
eg.
[domain/example.com]
access_provider = simple
simple_allow_groups = git-admin,git-users
In the man page sssd-ad under ad_access_filter it states; if you have access provider = ad
and the following line ( this is for a single domain, there are other choices)
DOM:somedomain.com:(memberOf=cn=someADgroup,ou=RHEL7servers,dc=somedomain,dc=com)
My understanding is that this should limit logins to the AD group listed in the line above. It does not seem to work so I am trying to figure out what else might need to be done.
All;
I am running into the same issue. I would like to use pam_access for system access control but it doesn't seem to capture users that use SSSD-AD. My access.conf contains only: +:localuser:ALL -:ALL:ALL EXCEPT LOCAL But I have a user logging in successfully via SSSD-AD. I know there are other ways, via SSSD for example, to restrict access but I'd like to understand why pam_access isn't restricting the account.
After some playing around with access.conf it appears that this issue is related to my rule 'ALL EXCEPT LOCAL'. SSHD must allocate a terminal early on so that pam_access sees this connection as being local. If I change this rule to '-:ALL:ALL' the AD-authenticated user is rejected as expected. Now, however, I need to make exceptions so that local accounts can run cron, etc. I'm thinking the best way to accomplish this is to move the 'account required pam_access...' line UNDER the 'account sufficient pam_localuser...' line.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
