Security Issue with sssd / AD authentication?

To: debian-user@lists.debian.org
Subject: Security Issue with sssd / AD authentication?
From: Kent West <westk@acu.edu>
Date: Fri, 8 Nov 2019 11:36:34 -0600
Message-id: <[🔎] eb3be0d2-09a9-e607-9612-eff289fc8ee3@acu.edu>

Probably not the best place to put this information, but I figure hereis better than no where...

I'm tinkering with authentication a Debian (10.1) box via ActiveDirectory, so that an AD user can log into the Debian box.


The relevant /etc/sssd/sssd.conf file has the following modification:

use_fully_qualified_names = False

If I have a local account (say, "westk") and a domain account of thesame name, but with a different password, I can log into the Debian boxwith the domain "westk"/password, but the "id" command shows me then tobe logged in as the local "westk".

The result is that if I have a local account that belongs to acompletely different person than a person with a domain account of thesame name, the domain account person, upon login, becomes the localaccount person, with full access as that person.


Advice? Suggestions? Questions?

Thanks!


--

Kent

Reply to:

Follow-Ups:
- Re: Security Issue with sssd / AD authentication?
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Security Issue with sssd / AD authentication?
  - From: Dan Purgert <dan@djph.net>

Prev by Date: Re: Library versions, SONAMEs,and symbol versions
Next by Date: Re: Security Issue with sssd / AD authentication?
Previous by thread: Re: Library versions, SONAMEs,and symbol versions
Next by thread: Re: Security Issue with sssd / AD authentication?
Index(es):
- Date
- Thread