Я использую sssd для аутентификации пользователя AD по протоколу ldap. Конфигурация работает, но не может разрешить только людей из одной группы.
Отчет об отладке SSD:
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_access_obtain_filter_lists] (0x0200): Allow users list is empty.
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_access_obtain_filter_lists] (0x0200): Deny users list is empty.
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_access_obtain_filter_lists] (0x0200): Deny groups list is empty.
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_access_check_send] (0x0200): Simple access check for testuser
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_check_get_groups_send] (0x1000): Looking up groups for user testuser
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_check_get_groups_send] (0x0400): User testuser is a member of 38 supplemental groups
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_check_process_group] (0x0020): There is no domain information for SID S-1-5-21-1644491937-1417001333-839522115-1553
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [simple_access_check_recv] (0x1000): Access not granted
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Mon Apr 6 10:28:28 2020) [sssd[be[domain.fr]]] [be_pam_handler_callback] (0x0100): Sending result [6][ldap.domain.fr]
Вот мой файл sssd.conf:
[domain/domain.fr]
ad_domain = domain.fr
ldap_uri = ldap://ldap.domain.fr
id_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_tls_reqcert = never
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_force_upper_case_realm = true
ldap_search_base = DC=domain,DC=fr
ldap_group_search_base = DC=domain,DC=fr
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_object_class = User
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_default_bind_dn = CN=USER_,DC=domain,DC=fr
ldap_default_authtok = password
cache_credentials = true
access_provider = simple
simple_allow_groups = group1, group2
auth_provider = ldap
use_fully_qualified_names = false
dns_discovery_domain = domain.fr
default_shell = /bin/bash
override_shell = /bin/bash
fallback_homedir = /home/%d/%u
enumerate = false
ldap_user_objectsid = objectSid
ldap_group_objectsid = objectSid
ldap_user_primary_group = primaryGroupID
case_sensitive = False
ldap_id_mapping = true
Мой пользователь в группе 1, но sssd, похоже, игнорирует это. Я не понимаю, почему simple_allow_groups здесь не работает.
Я использую sssd версии 1.11.7-3 + deb8u2 на debian 8