> On 25 Jan 2022, at 18:15, Dudas Tibor ABRAXAS <Tibor.Dudas@xxxxxxxxxx> wrote: > > Thanks, you are right: It works with the memberof-Plugin and ldap access filter. > > Is there a way to make it work with netgroups? We have it set up like that in our OpenLDAP and would have to migrate everything, otherwise. > > According to the documentation it should work: > https://directory.fedoraproject.org/docs/389ds/howto/howto-netgroups.html I've honestly not touched netgroups in a long long time. I think SSSD might have a way to emulate them? But honestly you may want to consider this as a good time to start to migrate away from them ... But on the ldap side, there is no reason that the data in ldap will be any different between openldap and 389, it's just ldap. > > > Thanks for your answer, > Tibor > > > -----Ursprüngliche Nachricht----- > Von: William Brown <william.brown@xxxxxxxx> > Gesendet: Dienstag, 25. Januar 2022 00:24 > An: 389-users@xxxxxxxxxxxxxxxxxxxxxxx > Betreff: [389-users] Re: ssh does not see my access.conf > > > >> On 25 Jan 2022, at 02:36, Dudas Tibor ABRAXAS <Tibor.Dudas@xxxxxxxxxx> wrote: >> >> Hi, >> >> I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh. >> >> What does not work, yet, is to exclude all other users. >> >> The Config is: >> getent netgroup sysadmin >> sysadmin ( ,eve,) >> >> cat /etc/security/access.conf >> +:root:LOCAL >> +:root:ALL >> +:@sysadmin:ALL >> -:ALL:ALL EXCEPT LOCAL >> >> Cat /etc/pam.d/system-auth >> … >> account required pam_access.so >> accessfile=/etc/security/access.netgroup.conf >> >> cat =/etc/security/access.netgroup.conf >> +:root:LOCAL >> +:root:ALL >> +:@sysadmin:ALL >> -:ALL:ALL EXCEPT LOCAL >> >> The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin: >> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] >> [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com]. >> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] >> [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24 >> 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: >> 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data. >> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success. >> >> The client does not even look for netgroups, but lets everyone pass. What did I miss? > > You probably don't want pam_access here, since netgroups are not an LDAP thing. > > You can have the same effect with ldap access filter in sssd.conf, and then using pam_sss in the account line of pam. > >> >> Any help is appreciated. >> >> Kind regards, Tibor >> >> >> _______________________________________________ >> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To >> unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr >> oject.org Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure > > -- > Sincerely, > > William Brown > > Senior Software Engineer, Identity and Access Management SUSE Labs, Australia > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure