I'm testing SSSD RedHat 7.2 integration with Windows Server 2016 (AD). I want to access through SSH using AD users in a specific group (allow_ssh_admin). I've configured some files and I can see the machine in the AD but I can't access using SSH conection.
Configuration
sssd.conf
[sssd]
domains = ad.domain.com
config_file_version = 2
services = nss, pam
[domain/ad.domain.com]
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
use_fully_qualified_names = True
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
ldap_id_mapping = True
smb.conf
[global]
workgroup = AD
security = ADS
# WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
# password server = MACHINENAME.AD.DOMAIN.COM
realm = AD.DOMAIN.COM
log file = /var/log/samba/%m.log
max log size = 50
template shell = /bin/bash
# 'winbind separator = +' might cause problems with group membership.
# winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
template homedir = /home/%D/%U
idmap config AD : schema_mode = rfc2307
idmap config AD : range = 10000000-29999999
idmap config AD : default = yes
idmap config AD : backend = rid
idmap config * : range = 20000-29999
idmap config * : backend = tdb
nsswitch.conf
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
Also I've created a group into AD (allow_ssh_admin) and I've assigned a user to this group. I've modified ssh conf in order to allow access to this group:
sshd_config
[...]
AllowGroups root DOMAIN\allow_ssh_admin
When I try to access throug ssh…
login as: DOMAIN\User
DOMAIN\User@ip password:
I've got this error on secure log:
Mar 27 05:21:13 machine sshd[20175]: User User from IP not allowed because none of user's groups are listed in AllowGroups
Mar 27 05:21:13 machine sshd[20175]: input_userauth_request: invalid user DOMAIN\\\\User [preauth]
Mar 27 05:21:23 machine sshd[20175]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=IP user=DOMAIN\User
Mar 27 05:21:23 machine sshd[20175]: pam_sss(sshd:auth): received for user DOMAIN\User: 10 (User not known to the underlying authentication module)
Mar 27 05:21:23 machine sshd[20175]: Failed password for invalid user DOMAIN\\User from IP port 53406 ssh2
One more thing. I can see the machine join in the AD and I can access as a root user I can use wbinfo –domain-users and wbinfo –domain-groups and I get users and groups information so… it's strange.
Anybody can help me?
Thanks a lot
Best Answer
The problem was Windows Server 2016 has three interfaces with three diferents IPs. (10.x.x.x, 125.x.x.x, 192.x.x.x).
It did not have any DNS policy so if It try to connect to the server it replies by diferent interfaces every time I launch a ping.
Host can not reach Server two out of three times.
Deleting the DNS entries related to the other networks (125.x.x.x and 192.x.x.x) works because I wanted a response from 10.x.x.x
Thanks