Quantcast
Channel: Nginx Forum - How to...
Viewing all articles
Browse latest Browse all 4759

HELP: Active Directory Authentication via SSS/PAM Integration

$
0
0
Hi.

How can I get successful auth_pam authentications against Active Directory with nginx serving as a reverse proxy? I have nginx-full (1.10.3) installed on an Ubuntu 16.04 LTS EC2 instance. I've successfully joined the VM to an Active Directory domain and I'm able to successfully login to an SSH session using a domain user only defined in AD. If I use those same AD user credentials when navigating to a protected URL via webbrowser, I encounter a 401 error. However, using the credentials of a user local to the VM hosting nginx, I can authenticate and navigate to the protected URL. I've included pertinent config files below. What am I missing?

Thanks.

# /etc/pam.d/nginx
#
@include common-auth
# ###END /etc/pam.d/nginx

# /etc/pam.d/common-auth
#
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# ###END /etc/pam.d/common-auth

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
# ###END /etc/nsswitch.conf

# /etc/sssd/sssd.conf
#
[sssd]
domains = SUBDOMAIN.TLD
config_file_version = 2
services = nss, pam

[domain/SUBDOMAIN.TLD]
ad_domain = SUBDOMAIN.TLD
krb5_realm = SUBDOMAIN.TLD
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
simple_allow_groups = Domain Admins
ad_hostname = hostname.subdomain.tld
dyndns_update = True

# ###END /etc/sssd/sssd.conf

Viewing all articles
Browse latest Browse all 4759

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>