wurzeladministrator
Cadet
- Joined
- Jan 17, 2017
- Messages
- 9
Hi,
after upgrading to FreeNAS 11 we also decided to move away from locally managed users towards an existing LDAP database within our organization. This works great for the all the users who are in that directory. However there are still a couple local system accounts (e.g. for synchronization and backup purposes) which I would like to keep in the FreeNAS database and stored via the local passwd file rather than have them in the organization wide LDAP directory.
I understand that Samba can not authenticate those local accounts anymore because it only looks at the LDAP. Is that correct?
getent passwd works fine and shows both local and LDAP users.
For SSH access, both local and LDAP users can connect, however in /var/log/auth.log, sshd always first reports Access denied and then Accepts the connection anyways when a local user connects:
/var/log/auth.log
How do I get rid of the "Access denied" messages for the local users?
Users in the LDAP directory do not generate the Access denied message.
I am sure there is just a minor entry missing in sssd.conf, nsswitch.conf or in the PAM configuration, but I am not very familiar with those files and the way FreeNAS sets them up. Maybe a minor bug fix for FreeNAS is in order for that?
Here are the relevant config files (I presume) currently set up by the FreeNAS:
after upgrading to FreeNAS 11 we also decided to move away from locally managed users towards an existing LDAP database within our organization. This works great for the all the users who are in that directory. However there are still a couple local system accounts (e.g. for synchronization and backup purposes) which I would like to keep in the FreeNAS database and stored via the local passwd file rather than have them in the organization wide LDAP directory.
I understand that Samba can not authenticate those local accounts anymore because it only looks at the LDAP. Is that correct?
getent passwd works fine and shows both local and LDAP users.
For SSH access, both local and LDAP users can connect, however in /var/log/auth.log, sshd always first reports Access denied and then Accepts the connection anyways when a local user connects:
/var/log/auth.log
Code:
Sep 12 10:20:37 mynas sshd[502]: Access denied for user <localinfreenas>: 13 (unknown user) Sep 12 10:20:37 mynas sshd[502]: Accepted publickey for <localinfreenas< from <ip> port 41420 ssh2: RSA <keyid>
How do I get rid of the "Access denied" messages for the local users?
Users in the LDAP directory do not generate the Access denied message.
I am sure there is just a minor entry missing in sssd.conf, nsswitch.conf or in the PAM configuration, but I am not very familiar with those files and the way FreeNAS sets them up. Maybe a minor bug fix for FreeNAS is in order for that?
Here are the relevant config files (I presume) currently set up by the FreeNAS:
Code:
[root@mynas ~]# cat /usr/local/etc/sssd/sssd.conf [sssd] config_file_version = 2 full_name_format = %2$s\%1$s re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) services = nss,pam domains = LDAP [nss] [pam] [domain/LDAP] description = LDAP enumerate = true cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 ldap_force_upper_case_realm = true use_fully_qualified_names = false ldap_uri = ldap://<...> ldap_search_base = <...> ldap_user_search_base = <...> ldap_group_search_base = <...> tls_reqcert = demand ldap_tls_cacert = /etc/certificates/CA/ldap.crt ldap_id_use_start_tls = true ldap_default_bind_dn = uid=admin,<...> ldap_default_authtok_type = password ldap_default_authtok = <password> override_homedir = /<zfsvol>/%u [root@mynas ~]# cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD$ # group: files sss hosts: files mdns dns networks: files passwd: files sss shells: files services: files protocols: files rpc: files sudoers: files [root@mynas ~]# cat /etc/pam.d/sshd # # $FreeBSD: head/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_sss.so #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_sss.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so session required /usr/local/lib/pam_mkhomedir.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass [root@mynas ~]#