Welcome! Log In Create A New Profile

Advanced

HELP: Active Directory Authentication via SSS/PAM Integration

Posted by olddognewtricks 
Forum List Message List New Topic
olddognewtricks
HELP: Active Directory Authentication via SSS/PAM Integration
February 12, 2018 02:24PM
Hi.

How can I get successful auth_pam authentications against Active Directory with nginx serving as a reverse proxy? I have nginx-full (1.10.3) installed on an Ubuntu 16.04 LTS EC2 instance. I've successfully joined the VM to an Active Directory domain and I'm able to successfully login to an SSH session using a domain user only defined in AD. If I use those same AD user credentials when navigating to a protected URL via webbrowser, I encounter a 401 error. However, using the credentials of a user local to the VM hosting nginx, I can authenticate and navigate to the protected URL. I've included pertinent config files below. What am I missing?

Thanks.

# /etc/pam.d/nginx
#
@include common-auth
# ###END /etc/pam.d/nginx

# /etc/pam.d/common-auth
#
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# ###END /etc/pam.d/common-auth

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
# ###END /etc/nsswitch.conf

# /etc/sssd/sssd.conf
#
[sssd]
domains = SUBDOMAIN.TLD
config_file_version = 2
services = nss, pam

[domain/SUBDOMAIN.TLD]
ad_domain = SUBDOMAIN.TLD
krb5_realm = SUBDOMAIN.TLD
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
simple_allow_groups = Domain Admins
ad_hostname = hostname.subdomain.tld
dyndns_update = True

# ###END /etc/sssd/sssd.conf
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 235
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready