I'm stuck since 3 days, I try to integrate AD users from my Windows server to Debian Server.
For this purpose I installed on my debian server these package :
realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
I successfully integrated my Debian to AD server, and my users can now login to the Debian but restrictions set with GPO on AD doesn't apply so everyone can login in the server trough ssh.
I begin to turn mad and have no more idea, can't find anything usefull in logs with max verbosity.
This is my config of /etc/sssd/sssd.conf :
[sssd]
domains = xxxxx.com
config_file_version = 2
services = nss, pam
[nss]
[pam]
[domain/xxxxx.com]
debug_level=10
default_shell = /bin/bash
ad_server = ad.xxxxx.com
use_fully_qualified_names = False
krb5_store_password_if_offline = False
cache_credentials = False
krb5_realm = XXXXXX.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
auth_provider = ad
access_provider = ad
realmd_tags = manages-system joined-with-adcli
ad_gpo_access_control = enforcing
ad_gpo_implicit_deny = true
ad_gpo_ignore_unreadable = true
fallback_homedir = /home/%u
ad_domain = xxxxx.com
ldap_id_mapping = True
This my pam configs :
common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
common-auth
auth [success=3 default=ignore] pam_unix.so nullok
auth [success=2 default=ignore] pam_sss.so use_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
GPO on AD