Give console and ssh access to Active Directory users

N

nebular

Member
Oct 20, 2022
9
3
8
I've installed 7.4-3 and I was able to setup active directory authentication to the Web GUI using this tutorial:

https://forum.proxmox.com/threads/h...cluster-to-an-active-directory-domain.100395/

However I also want the members of the vm_admins AD group to have access to the console/ssh and sudo.

My searches on how to do that on proxmox keep coming up with responses that say that I would need to set that up with SSH, but I can't find a whole lot on how to do that. I found this page:

https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectorySssd

Is that a good method to follow for proxmox? Should I have followed those instructions first before the forum tutorial (my installation is new enough that I can start again)?

Any help on this would be greatly appreciated.
 
Ok I followed the instructions here instead:

https://www.server-world.info/en/note?os=Debian_11&p=realmd

and they matched with other articles I found while searching. Now everything seems correct when joining my domain (we'll call it net.example.com), but when I try to login I get system error.

Code: 
 (2023-05-10 10:08:25): [krb5_child[410655]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][14].
 (2023-05-10 10:08:25): [krb5_child[410655]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [admin\@NET.EXAMPLE.COM@NET.EXAMPLE.CA] might not be correct.

in dmesg I also get a bunch of messages like this:

Code: 
type=1400 audit(1683738505.468:6414): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be" name="/etc/hosts" pid=406237 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Any ideas of what's going on and how I can get shell access for AD users?

Edit: one other additional bit of into, local users created with the adduser command can login fine on console and ssh

Edit 2: /var/log/sssd/sssd_pam.log gives the following error when trying to login:

Code: 
(2023-05-10 10:29:32): [pam] [cache_req_common_process_dp_reply] (0x0040): CR #29: Data Provider Error: 3, 0, Init group lookup failed
 
Ok I found the issue by watching the syslogs live while logging in (love that live feature).

Turns out my domain controller wasn't automatically giving out the Active Directory Site name so I had to add:

ad_site = AD_site_name (with AD_site_name being my actual AD site)

to /etc/sssd/sssd.conf and restart the sssd service

I was able to find my AD site name with the following command in windows(CMD or powershell):

nltest /dsgetsite
 
You must log in or register to reply here.
Top Bottom