Give console and ssh access to Active Directory users

N

nebular

New Member
Oct 20, 2022
8
1
3
I've installed 7.4-3 and I was able to setup active directory authentication to the Web GUI using this tutorial:

https://forum.proxmox.com/threads/h...cluster-to-an-active-directory-domain.100395/

However I also want the members of the vm_admins AD group to have access to the console/ssh and sudo.

My searches on how to do that on proxmox keep coming up with responses that say that I would need to set that up with SSH, but I can't find a whole lot on how to do that. I found this page:

https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectorySssd

Is that a good method to follow for proxmox? Should I have followed those instructions first before the forum tutorial (my installation is new enough that I can start again)?

Any help on this would be greatly appreciated.
 
Ok I followed the instructions here instead:

https://www.server-world.info/en/note?os=Debian_11&p=realmd

and they matched with other articles I found while searching. Now everything seems correct when joining my domain (we'll call it net.example.com), but when I try to login I get system error.

Code: 
 (2023-05-10 10:08:25): [krb5_child[410655]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][14].
 (2023-05-10 10:08:25): [krb5_child[410655]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [admin\@NET.EXAMPLE.COM@NET.EXAMPLE.CA] might not be correct.

in dmesg I also get a bunch of messages like this:

Code: 
type=1400 audit(1683738505.468:6414): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be" name="/etc/hosts" pid=406237 comm="sssd_be" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Any ideas of what's going on and how I can get shell access for AD users?

Edit: one other additional bit of into, local users created with the adduser command can login fine on console and ssh

Edit 2: /var/log/sssd/sssd_pam.log gives the following error when trying to login:

Code: 
(2023-05-10 10:29:32): [pam] [cache_req_common_process_dp_reply] (0x0040): CR #29: Data Provider Error: 3, 0, Init group lookup failed
 
Ok I found the issue by watching the syslogs live while logging in (love that live feature).

Turns out my domain controller wasn't automatically giving out the Active Directory Site name so I had to add:

ad_site = AD_site_name (with AD_site_name being my actual AD site)

to /etc/sssd/sssd.conf and restart the sssd service

I was able to find my AD site name with the following command in windows(CMD or powershell):

nltest /dsgetsite
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom