-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AD Users are bypassed due to groups when groups config option is set, regardless of group. #220
Comments
Hi @elitegoodguy, What version of Duo Unix did you try this with? The most recent release? Also, to make sure I understand your expectations, are you specifying a groupname or a !groupname?
|
Sorry left that out... It's login_duo 1.12.0 That is correct I attempted groups=users,!wheel For all users except for those in the wheel group. Maybe put the AD group that I am in? groups="Domain Users",!wheel ? I have not tried that yet. |
I resolved it It was that it was allowing them through regardless of the group. You can either be included or excluded... If you are not in any group that's included you're automatically considered excluded and do not need to have 2fa. I found that once I added in a valid group name that I am 100% included then it works. This works just fine for me because it says everyone on the domain needs duo 2fa to get into this server except for root. My login rules will lock it down further to restrict it to a certain group and allow root to login local only. groups=domain\ users,!root |
@elitegoodguy Looks like you go this working to your satisfaction, so I'll close this out. Let us know if you run into any other issues, and thanks for using Duo! |
Summary
AD Users are bypassed due to groups when groups config option is set, regardless of group.
I'm trying to setup to allow my root user to login without 2FA (Yes I'll be disabling that once I get DUO working for my users and making root local login only) Every time I add the groups=XXXX line into the config I get "[6] User jdoe bypassed Duo 2FA due to user's UNIX group" Regardless of what information I put into groups. I can put groups=made_up_group_that_doesnt_exist and it will allow my user to bypass duo. If I have the groups line commented out it prompts me to authenticate with Duo.
Steps to reproduce
Specs
The text was updated successfully, but these errors were encountered: