-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xrdp, no login for AD users. #906
Comments
what is XOG ? |
Can you post your /etc/sssd/sssd.conf? I have the same configuration running with out any bigger issues . |
Sorry XORG. Debian GNU/Linux 9 (stretch) with mate desktop
|
Please don't forget to quote when you paste config or logs. You can quote it by triple back quotations. Everything you input in the comment form is interpreted as Markdown unless quoted. |
Change the last line of your sssd.conf to |
AD logins work for ssh and local console as previously stated, why would xrdp work differently? |
|
It would be great to know WHAT is "denying permission". /etc/pam.d/common-account |
xrdp_sesman is not registered as service provider in sssd, whereas ssh and local console is. You can either register it or switch to simple mode. Read the man page on how to register it. man sssd.conf or switch to simple mode as stated before. |
Finally someone who looks like they know what they are doing. |
sssd.conf has a services entry but it only lists nss and pam |
You are probably missing entries for |
built-in list?? |
I persist that you should read the sssd man page:
So, only this list of services are allowed to create sessions for users. you need to add If you ask yourself where is |
The upgrade from Debian 8 to 9 has broken a LOT of things on my systems. It indeed appears to be an sssd thing, these boys need to work on their installer, it should ask a few questions and configure based on the responces. Thanks to those who tried and those that did help. |
you saved my day, many thanks! |
For those who are looking for an answer and found this page in Google. The issue is the lack of an sssd config, is not and xrdp bug. Maybe you are using an Active Directory integration with sssd and Group Policy as authorization method (Like the official instructions from RHEL) You have 2 choices: Option 1: Use "simple" as access provider instead of Group Policy You sssd.conf should look like this
This makes useless the GPO Policy, but you can specify which users or groups are allowed to login with this commands in the workstation: (more info) Option 2: Keep Using Group Policy This is the config that works for me in Centos 8
|
access_provider = simple the exact solution i was looking for.. |
THANK YOU - Saved me who knows how many hours. I'm in a pretty restrictive air-gapped environment bound to AD and I think that setting access_provider may have done more harm than good. Leaving it as is and explicitly defining ad_gpo_access_control and ad_gpo_map_remote_interactive did the trick for me. Thanks again!! |
I always forget about that. Anyway, problem solved. Thanks! |
I have xrdp and sssd and realm all working..... xrdp to a point!
I can log in locally to the "remote" machine using local and AD accounts
I can ssh into the remote machine using local and AD user accounts
I can remote into the remote machine with xrdp using local accounts
I can NOT remote into the remote machine with xrdp using AD user accounts.
Been at this for more than 5 days.. Googled the crap out of it to no avail.
Debian 9
4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28)
using x11rdp and selecting XOG from the login screen.
auth log shows:
xrdp-sesman[1597]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=death
xrdp-sesman[1597]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=death
xrdp-sesman[1597]: pam_sss(xrdp-sesman:account): Access denied for user death: 6 (Permission denied)
The text was updated successfully, but these errors were encountered: