Re: Security Issue with sssd / AD authentication?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Kent West wrote:
> Probably not the best place to put this information, but I figure here
> is better than no where...
>
> I'm tinkering with authentication a Debian (10.1) box via Active
> Directory, so that an AD user can log into the Debian box.
>
> [...]
>
> The result is that if I have a local account that belongs to a
> completely different person than a person with a domain account of the
> same name, the domain account person, upon login, becomes the local
> account person, with full access as that person.
>
> Advice? Suggestions? Questions?
>
Last time I did central logins like that, I used openLDAP, so it may not
be the same process. But as I recall, you had to change one of the PAM
modules (possibly more than one) such that it prefers ldap (AD,
whatever) over the local /etc/passwd file.
Additionally, I seem to recall some caveat of the "same username" not
gracefully allowing you to "select"; so I just ended up having a
secondary 'me_local' account that wasn't part of the LDAP setup.
It's been a few years (and a new job) since, so I might not have the
notes anymore (The general info is usually something I hang onto, but
the "basics of ldap" notes aren't immediately forthcoming).
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl3FrLUACgkQjhHd8xJ5
ooEOuggArD62bnF0vuIBfbvmvu8IbomBs0eUBN+YqA8iusNMA6KF+0YboWeNmK6z
yzlcNb8PArKx4ca5olV3gV6zOa4lO73onW9BBq4tcajgW7mgllsLgDeWBlD4HeER
xg1O5m9TCJlmgnWLWdW15tr6hQk8STASm7R8/LGBWOq3AGVE21dQBnkC7sdxu514
6b5EgMDBdgiCFuKXogkZL/EbdWMNYvGe1rQao1yCAeln9+NDasYp2A+KAZ76XEnT
rPgjYol4JIO3O7Be+X0XsTy6ssSpNd2w5IuKfpGev5wfxtrj4tR+NkxxEwUHz38H
+9nN6awXwtdywR6XmU+IucWRua7/Wg==
=9it9
-----END PGP SIGNATURE-----
--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Reply to: