On Fri, Nov 08, 2019 at 11:36:34AM -0600, Kent West wrote:
Probably not the best place to put this information, but I figure here is
better than no where...
I'm tinkering with authentication a Debian (10.1) box via Active Directory,
so that an AD user can log into the Debian box.
The relevant /etc/sssd/sssd.conf file has the following modification:
use_fully_qualified_names = False
If I have a local account (say, "westk") and a domain account of the same
name, but with a different password, I can log into the Debian box with the
domain "westk"/password, but the "id" command shows me then to be logged in
as the local "westk".
The result is that if I have a local account that belongs to a completely
different person than a person with a domain account of the same name, the
domain account person, upon login, becomes the local account person, with
full access as that person.
Advice? Suggestions? Questions?
It seems like you have two options:
1. change the use_fully_qualified_names setting
2. eliminate the westk local account
While the situation has security implications, those implications are a
result of misconfiguration rather than any defect in the related
utilities.
You could experience the same issue by allowing logins from two
different domains where the same user account exists in both. It is a
risk of the use_fully_qualified_names configuration setting.
Regards,
-Roberto