|
Hi, I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh. What does not work, yet, is to exclude all other users. The Config is: getent netgroup sysadmin sysadmin ( ,eve,) cat /etc/security/access.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL Cat /etc/pam.d/system-auth … account required pam_access.so accessfile=/etc/security/access.netgroup.conf cat =/etc/security/access.netgroup.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin: (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com]. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success. The client does not even look for netgroups, but lets everyone pass. What did I miss? Any help is appreciated. Kind regards, Tibor |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
