mirror of
https://github.com/NetSPI/PowerHuntShares.git
synced 2025-05-04 19:28:42 +02:00
60 lines
1.5 KiB
Plaintext
60 lines
1.5 KiB
Plaintext
[sssd]
|
|
config_file_version = 2
|
|
services = nss, pam, ssh, sudo
|
|
domains = example.com
|
|
|
|
[nss]
|
|
filter_groups = root
|
|
filter_users = root
|
|
|
|
[pam]
|
|
offline_credentials_expiration = 2
|
|
offline_failed_login_attempts = 3
|
|
offline_failed_login_delay = 5
|
|
|
|
[domain/example.com]
|
|
# Basic configuration for connecting to Active Directory
|
|
id_provider = ad
|
|
auth_provider = ad
|
|
access_provider = ad
|
|
|
|
# Enable Kerberos for authentication
|
|
krb5_realm = EXAMPLE.COM
|
|
krb5_server = ad.example.com
|
|
krb5_kpasswd = ad.example.com
|
|
|
|
# Active Directory server information
|
|
ad_domain = example.com
|
|
ad_server = ad.example.com
|
|
ad_hostname = linuxclient.example.com
|
|
|
|
# INSECURE PRACTICE: Hardcoding AD username and password in sssd.conf
|
|
# These values will expose the username and password in plaintext
|
|
ldap_default_bind_dn = cn=admin,cn=users,dc=example,dc=com
|
|
ldap_default_authtok = P@ssw0rd123
|
|
|
|
# Using the above configuration exposes credentials to anyone who can read this file
|
|
|
|
# User and group filtering (optional)
|
|
ldap_id_mapping = true
|
|
|
|
# Performance optimizations
|
|
cache_credentials = true
|
|
enumerate = false
|
|
use_fully_qualified_names = false
|
|
|
|
# Access Control (Optional: limit login to users in AD group 'LinuxAdmins')
|
|
access_provider = simple
|
|
simple_allow_groups = LinuxAdmins
|
|
|
|
# Security settings
|
|
min_id = 1000
|
|
fallback_homedir = /home/%u
|
|
|
|
# Timeout and retry settings for better AD stability
|
|
ldap_search_timeout = 10
|
|
ldap_connection_expire_timeout = 60
|
|
|
|
# Debugging options (uncomment for troubleshooting)
|
|
# debug_level = 9
|