SSSD : AD user login problem when using 'ldap_user_name= name' and GPO Policy has been applied
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- sssd
- Active Directory
Issue
- AD users are not able to do ssh authentication while using
ldap_user_name= nameinsssd.conffile - GPO Policy has been applied
Resolution
-
As a workaround solution.
* Need to disable GPO policy
* try to set the 'name' attribute of the host object to 'HOST PRINICPAL$' so that the search with
the modified filter can still find the host object. But this, of course,won't work if there are many host affected or if the 'name' attribute is already used for other purposes
Root Cause
In 'ad_gpo_connect_done()' SSSD should not use
'state->opts->user_map[SDAP_AT_USER_NAME].name' in the search filter but
hardcoded 'sAMAccountName' to make sure that the sAMAccountName of the
host is searched with this attribute name.
Diagnostic Steps
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): domain: example.systest.sanpaoloimi.
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): user: rakkumar@example.systest.
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): service: sshd
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): tty: ssh
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): ruser:
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): rhost: 192.168.160.60
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): authtok type: 0 (No authentication token available)
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): priv: 1
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): cli_pid: 1194471
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): logon name: not set
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): flags: 0
(2023-04-26 14:48:48): [be[example.systest.]] [dp_attach_req] (0x0400): [RID#20] DP Request [PAM Account #20]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2023-04-26 14:48:48): [be[example.systest.]] [dp_attach_req] (0x0400): [RID#20] Number of active DP request: 1
(2023-04-26 14:48:48): [be[example.systest.]] [sss_domain_get_state] (0x1000): [RID#20] Domain example.systest.sanpaoloimi. is Active
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_access_send] (0x0400): [RID#20] Performing access check for user [rakkumar@example.systest.]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_account_expired_ad] (0x0400): [RID#20] Performing AD access check for user [rakkumar@example.systest.]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_account_expired_ad] (0x4000): [RID#20] User account control for user [rakkumar@example.systest.] is [200].
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_account_expired_ad] (0x4000): [RID#20] Expiration time for user [rakkumar@example.systest.] is [133325568000000000].
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_access_send] (0x0400): [RID#20] service sshd maps to Remote Interactive
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_id_op_connect_step] (0x4000): [RID#20] reusing cached connection
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_connect_done] (0x4000): [RID#20] server_hostname from uri: example.example.systest.
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_connect_done] (0x0400): [RID#20] sam_account_name is SALCLT110$
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_print_server] (0x2000): [RID#20] Searching 10.248.28.2:389
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x0400): [RID#20] calling ldap_search_ext with [(&(objectclass=user)(name=[dc=example,dc=
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x1000): [RID#20] Requesting attrs: [distinguishedName]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x1000): [RID#20] Requesting attrs: [userAccountControl]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x2000): [RID#20] ldap_search_ext called, msgid = 46
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_op_add] (0x2000): [RID#20] New operation 46 timeout 6
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_process_result] (0x2000): Trace: sh[0x561baf727230], connected[1], ops[0x561baf785260], ldap[0x561baf73c170]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_process_message] (0x4000): [RID#20] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2023-04-26 14:48:48): [be[example.systest.]] [generic_ext_search_handler] (0x4000): [RID#20] Ref: ldap://DomainDnsZones.example.
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_target_dn_retrieval_
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_id_op_destroy] (0x4000): [RID#20] releasing operation connection
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_access_done] (0x0040): [RID#20] GPO-based access control failed.
(2023-04-26 14:48:48): [be[example.systest.]] [dp_req_done] (0x0400): [RID#20] DP Request [PAM Account #20]: Request handler finished [0]: Success
(2023-04-26 14:48:48): [be[example.systest.]] [_dp_req_recv] (0x0400): [RID#20] DP Request [PAM Account #20]: Receiving request data.
(2023-04-26 14:48:48): [be[example.systest.]] [dp_req_destructor] (0x0400): [RID#20] DP Request [PAM Account #20]: Request removed.
(2023-04-26 14:48:48): [be[example.systest.]] [dp_req_destructor] (0x0400): [RID#20] Number of active DP request: 0
(2023-04-26 14:48:48): [be[example.systest.]] [dp_method_enabled] (0x0400): [RID#20] Target selinux is not configured
Note. when we are using "ldap_user_name = sAMAccountName" Test passed and there is no restriction from gpo policy end.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments