5

I've been working on getting a linux server built for our devs that is joined to our Active Directory Server. Using a combination of Realm and SSSD I have SSH working fine with all users, but trying to remote desktop in to xrdp is failing with a

Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=ricktbaker
Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=ricktbaker
Nov  7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:account): Access denied for user ricktbaker: 6 (Permission denied)

My /etc/sssd/sssd.conf

[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam

[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = MY.DOMAIN.COM
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad

I've tried switching access_provider to simple, but then I can't ssh either. Not quite sure what I'm missing, but will provide any logs or info that might help.

---- EDIT -----

Adding the following line to the domain portion of sssd.conf seems to fix it, but I'm not sure if this the proper fix:

ad_gpo_access_control = permissive
Rick Baker
  • 873
  • 11
  • 22

3 Answers3

3

Man, I just love you. I was fighting against this problem for a day with no solution.

As a complement, when I used your config, I still had a problem with X11 not allowing connection. Just had to edit /etc/X11/Xwrapper.config to allowed_users=anybody

And now, it works !

Thanks a lot for the update !

C.Dumange
  • 128
  • 1
  • 8
  • Glad it was helpful. I spent a good amount of time as well trying to figure it out. Interesting on the X11 change. I'm assuming you are doing local logins and not RDP? – Rick Baker Nov 08 '17 at 15:51
  • I'm doing xrdp via Active Directory logins on a ubuntu ad-joined server. Still have to figure how to properly manage dns/domain ticket automaticaly but kinda works for the moment. – C.Dumange Nov 13 '17 at 15:30
0

After running this setup for well over a year, the fix I had mentioned in my original question definitely works. So adding as an official answer. Just needed the following in my /etc/sssd/sssd.conf

ad_gpo_access_control = permissive

Also have a blog post about it:

http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/

Rick Baker
  • 873
  • 11
  • 22
0

From sssd-ad man page:

       ad_gpo_map_interactive (string)
       A comma-separated list of PAM service names for which GPO-based access control is evaluated based on the InteractiveLogonRight and DenyInteractiveLogonRight policy settings.

       Note: Using the Group Policy Management Editor this value is called "Allow log on locally" and "Deny log on locally".

       It is possible to add another PAM service name to the default set by using “+service_name” or to explicitly remove a PAM service name from the default set by using “-service_name”. For example,
       in order to replace a default PAM service name for this logon right (e.g.  “login”) with a custom pam service name (e.g.  “my_pam_service”), you would use the following configuration:

           ad_gpo_map_interactive = +my_pam_service, -login

      ....

So, you just have to add:

           ad_gpo_map_interactive = +xrdp-sesman

to your sssd.conf file.

d_haritonov
  • 1
  • 1