[SSSD-users] Re: sssd net rpc rights SeDiskOperatorPrivilege
On Tue, Jan 19, 2016 at 11:07:57PM -, Henry McLaughlin wrote: > I have just read that my version of sssd 1.11.5 has problems with mapping: > > https://lists.samba.org/archive/samba/2015-January/188338.html Yes, that version is quite old, can you try something newer? ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd net rpc rights SeDiskOperatorPrivilege
My distro Ubuntu 14.04 LTS only comes with 1.11.5 The next LTS is due April ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: User_attribute option
> -Oprindelig meddelelse- > Fra: Jakub Hrozek [mailto:jhro...@redhat.com] > Sendt: 19. januar 2016 21:56 > Til: sssd-users@lists.fedorahosted.org > Emne: [SSSD-users] Re: User_attribute option > > On Tue, Jan 19, 2016 at 11:28:05AM +, Longina Przybyszewska wrote: > > Hi, > > I would like to retrieve additional attribute from user object in AD > > , 'homeDirectory', which contains string pointing to windows share path on > a samba server . > > The option 'user_attribute' allows that setup in [nss] section together > > with ' > ifp' service. > > [sssd] > > services = ..,nss,ifp > > [nss] > > user_attribute = +homeDirectory > > > > I can't figure out how this extra attribute is mapped by SSSD; I would > > like map it to environment variable per user at login, or in any other > > usable > way. > > Any hints? > > Thanks in advance. > > Would it help in your setup to fetch the extra attribute via dbus-send? I rush to read SSSD's DesignDoc (IPC,DBusUsersAndGroups) but still have no clear idea how to implement it; The object containing extra attributes is in/org/freedesktop/sssd/infopipe/Users/$DOMAIN/$UID, right? Maybe PAM module is the most obvious for retrieving additional attribute on login. Best, Longina > ___ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd- > us...@lists.fedorahosted.org ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd net rpc rights SeDiskOperatorPrivilege
The next LTS - Xenial has already sssd-13.3 Longina > -Oprindelig meddelelse- > Fra: Henry McLaughlin [mailto:mche...@fedoraproject.org] > Sendt: 20. januar 2016 10:51 > Til: sssd-users@lists.fedorahosted.org > Emne: [SSSD-users] Re: sssd net rpc rights SeDiskOperatorPrivilege > > My distro Ubuntu 14.04 LTS only comes with 1.11.5 > > The next LTS is due April > ___ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Only members of one AD group should have access to Linux login
Hi
I have several users in my AD. All of them can now login with ssh to the Linux
server which is not intended.
In the AD I have the group MyTestGrp. I want only users in that group to have
access to this server.
Testing on the Linux server provides the information necessary ("admjoin"
should not have access):
avgjoe@host007:~$ getent passwd admjoin
admjoin:*:1905540256:1905400513:AdmJoin:/home/corp.acme.com/admjoin:/bin/bash
avgjoe@host007:~$ getent group MyTestGrp
MyTestGrp:*:1905738908:avgjoe,bob
Where should I add MyTestGrp in the configuration files?
I have looked around in /etc/sssd/ and /etc/pam.d/ without success.
It is working now with sudo for the group members so I guess it should be
possible.
best regards
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Only members of one AD group should have access to Linux login
On Wed, Jan 20, 2016 at 12:16:50PM -, h...@miracle.dk wrote:
> Hi
>
> I have several users in my AD. All of them can now login with ssh to the
> Linux server which is not intended.
>
> In the AD I have the group MyTestGrp. I want only users in that group to have
> access to this server.
>
> Testing on the Linux server provides the information necessary ("admjoin"
> should not have access):
>
> avgjoe@host007:~$ getent passwd admjoin
> admjoin:*:1905540256:1905400513:AdmJoin:/home/corp.acme.com/admjoin:/bin/bash
> avgjoe@host007:~$ getent group MyTestGrp
> MyTestGrp:*:1905738908:avgjoe,bob
>
> Where should I add MyTestGrp in the configuration files?
>
> I have looked around in /etc/sssd/ and /etc/pam.d/ without success.
>
> It is working now with sudo for the group members so I guess it should be
> possible.
access_provider=simple
simple_allow_groups=MyTestGrp
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd net rpc rights SeDiskOperatorPrivilege
On (20/01/16 09:50), Henry McLaughlin wrote: >My distro Ubuntu 14.04 LTS only comes with 1.11.5 > >The next LTS is due April Or you can use repo from launchpad on trusty https://launchpad.net/~sssd/+archive/ubuntu/updates LS ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Only members of one AD group should have access to Linux login
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/20/2016 08:02 AM, Jakub Hrozek wrote:
> On Wed, Jan 20, 2016 at 12:16:50PM -, h...@miracle.dk wrote:
>> Hi
>>
>> I have several users in my AD. All of them can now login with ssh
>> to the Linux server which is not intended.
>>
>> In the AD I have the group MyTestGrp. I want only users in that
>> group to have access to this server.
>>
>> Testing on the Linux server provides the information necessary
>> ("admjoin" should not have access):
>>
>> avgjoe@host007:~$ getent passwd admjoin
>> admjoin:*:1905540256:1905400513:AdmJoin:/home/corp.acme.com/admjoin:/
bin/bash
>>
>>
avgjoe@host007:~$ getent group MyTestGrp
>> MyTestGrp:*:1905738908:avgjoe,bob
>>
>> Where should I add MyTestGrp in the configuration files?
>>
>> I have looked around in /etc/sssd/ and /etc/pam.d/ without
>> success.
>>
>> It is working now with sudo for the group members so I guess it
>> should be possible.
>
> access_provider=simple simple_allow_groups=MyTestGrp
Alternately, if you want to manage things in AD itself, you can use:
access_provider=ad
ad_gpo_access_control=enforcing
Then you can set up GPO-based access control by setting "Allow
Interactive Remote Logon" (for ssh) and "Allow Interactive Logon" (for
console/graphical login) in a GPO applied to the machine(s).
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iEYEARECAAYFAlaf4YIACgkQeiVVYja6o6PrSgCfZKMYgj+s210jOeaQvPCjVSzt
cwIAn00h3AkTfS4K7TQNJKRDZCJ5Kq8q
=e6aU
-END PGP SIGNATURE-
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
