aad-for-linux / libnss-aad Goto Github PK

View Code? Open in Web Editor NEW

4.0 2.0 4.0 102 KB

Name Service Switch (NSS) Module for performing user lookups against the Azure Active Directory (AAD).

License: GNU General Public License v3.0

Shell 0.20% Makefile 6.27% C 93.53%

linux azure azure-active-directory group glibc nss passwd nss-db hacktoberfest

libnss-aad's Introduction

libnss-aad

Name Service Switch (NSS) Module for performing user lookups against the Azure Active Directory (AAD).

Installation

make
sudo make install

Configuration

Edit /etc/nsswitch.conf to match the following:

passwd:         compat aad
group:          compat
shadow:         compat aad

Note: The contents of /etc/nsswitch.conf differ between distributions. However, simply ensuring that aad is present on the passwd, group, and shadow lines is sufficient.

Configuration File

Create the file /etc/libnss-aad.conf and fill it with:

{
  "client": {
    "id": "{{client_id}}",
    "secret": "{{client_secret}}"
  },
  "domain": "{{domain}}",
  "user": {
    "group": "users",
    "shell": "/bin/bash"
  }
}

NOTE: For now, client.secret must be URL-encoded.

Current Behavior

id tux
uid=1000(tux) gid=100(users) groups=100(users)

getent passwd tux
tux:x:1000:100::/home/tux:/bin/bash

getent shadow tux
tux:$2a$12$tlMH2KjgjCvd7gV0WVU4g.RxRe2vcXzmJ/WXLUQPRsE3yyjba9YCa:13571:0:99999:7:::

libnss-aad's People

Contributors

Stargazers

Watchers

Forkers

outzhu semicolonpoundpound mw-a sanoxy

libnss-aad's Issues

installation failed

from make command

gcc   -I. -fPIC -fno-stack-protector -Wall \
        -shared -Wl,--export-dynamic -o libnss_aad.so.2 -Wl,-soname,libnss_aad.so.2 \
        libnss_aad.c -lcrypt -lcurl -ljansson -lm -lsds -lsodium -lxcrypt
libnss_aad.c:2:10: fatal error: curl/curl.h: No such file or directory
    2 | #include <curl/curl.h>
      |          ^~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:15: libnss_aad] Error 1

returned odata.error on tab i.e., bash completion for unprivileged user

ls /returned odata.error
returned odata.error

bin/            dev/            home/           initrd.img.old  lib64/          media/          opt/            root/           sbin/           sys/            usr/            vmlinuz
boot/           etc/            initrd.img      lib/            lost+found/     mnt/            proc/           run/            srv/            tmp/            var/            vmlinuz.old

Source: CyberNinjas/libnss_aad#4

Check and assign group membership from Azure Active Directory

If user A is part of security group Foo in the Azure portal, and user B is part of security group Bar; group Foo should map to the sudoers group, while group Bar should map to the users group.

Source: CyberNinjas/libnss_aad#18

Launchpad build failure

The following packages have unmet dependencies:
 builddeps:libnss-aad : Depends: libxcrypt-dev but it is not installable
E: Unable to correct problems, you have held broken packages.

Reference(s):

Docker build failing

/bin/sh ./scripts/docker.sh 
Sending build context to Docker daemon  268.8kB
Step 1/10 : FROM debian:9.7
 ---> d508d16c64cd
Step 2/10 : ARG VERSION
 ---> Using cache
 ---> 88a3efc78f25
Step 3/10 : ARG DEBVER
 ---> Using cache
 ---> 4b9ae4f07e4c
Step 4/10 : RUN echo "deb http://http.us.debian.org/debian sid main"         >> /etc/apt/sources.list &&     apt update && apt install -y         automake         autopoint         build-essential         cmake         curl         debhelper         devscripts         git         indent         libcurl4-openssl-dev         libjansson-dev         libjwt-dev         libsodium-dev         libssl-dev         libtool         libxcrypt-dev         pkg-config         quilt
 ---> Running in 94e3d03a74d8

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Ign:2 http://deb.debian.org/debian stretch InRelease
Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB]
Get:4 http://http.us.debian.org/debian sid InRelease [165 kB]
Get:5 http://deb.debian.org/debian stretch Release [118 kB]
Get:6 http://deb.debian.org/debian stretch Release.gpg [3177 B]
Get:7 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [734 kB]
Get:8 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB]
Err:4 http://http.us.debian.org/debian sid InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists...
W: GPG error: http://http.us.debian.org/debian sid InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://http.us.debian.org/debian sid InRelease' is not signed.
The command '/bin/sh -c echo "deb http://http.us.debian.org/debian sid main"         >> /etc/apt/sources.list &&     apt update && apt install -y         automake         autopoint         build-essential         cmake         curl         debhelper         devscripts         git         indent         libcurl4-openssl-dev         libjansson-dev         libjwt-dev         libsodium-dev         libssl-dev         libtool         libxcrypt-dev         pkg-config         quilt' returned a non-zero code: 100

Got a 503 error

Dec  6 20:15:55 xxx  sshd[4041373]: nss_aad: This is an Azure machine
Dec  6 20:15:55 xxx  sshd[4041373]: nss_aad: HTTP retriable error 503 from http://169.254.169.254/metadata/login/users/chasun%40microsoft.com?api-version=2019-03-11
Dec  6 20:15:55 xxx  sshd[4041373]: Invalid user [email protected] from 10.206.0.2 port 55879
Dec  6 20:15:56 xxx  sshd[4041373]: Connection reset by invalid user [email protected] 10.206.0.2 port 55879 [preauth]

I have added the assignment.