Difference between revisions of "SSSD"

From Q
Jump to navigation Jump to search
 
Line 137: Line 137:
  
 
== Testing ==
 
== Testing ==
 
 
{{Root|getent passwd domainuser}} has to return a full working passwd entry including uid/guid, home directory and shell to be able to login.
 
{{Root|getent passwd domainuser}} has to return a full working passwd entry including uid/guid, home directory and shell to be able to login.
  
 
== Add additional user groups to existing users ==
 
== Add additional user groups to existing users ==
 
{{Root|usermod -a -G wheel,kvm <user>}}
 
{{Root|usermod -a -G wheel,kvm <user>}}
 +
 +
== Documentation ==
 +
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ad2008-example.html

Latest revision as of 13:46, 13 May 2013

SSSD obsoletes the old nss_ldap & pam_ldap combination and is also an successor to nss-pam-ldapd and pam_krb5.

The following examples have been tested against Active Directory in 2003 mode.

Basic configuration

File: /etc/nsswitch.conf
passwd:      compat sss
shadow:      compat sss
group:       compat sss


File: /etc/pam.d/system-auth
auth            required        pam_env.so
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_sss.so use_first_pass
auth            optional        pam_permit.so

account         required        pam_unix.so
account         [default=bad success=ok user_unknown=ignore] pam_sss.so
account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_sss.so use_authtok
password        optional        pam_permit.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
# /etc/init.d/sssd start
# rc-update add sssd default

LDAP (works without Samba)

File: /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = YOURDOMAIN

[nss]
filter_users = root,named,avahi,dbus,radiusd,news,nscd
override_homedir = /home/%d/%u
fallback_homedir = /home/%d/%u
default_shell = /bin/bash

[pam]

[domain/YOURDOMAIN]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://yourdc.yourdomain.local/
ldap_search_base = dc=yourdomain,dc=local
ldap_default_bind_dn = adbinduser
ldap_default_authtok = adbinduserpassword

ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts

# defines user/group schema type
ldap_schema = ad

# for SID-UID mapping
ldap_id_mapping = true

# disable case sensitive user names
case_sensitive = false

# caching credentials
cache_credentials = true
enumerate = false

# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad

# performance
ldap_disable_referrals = true

override_homedir = /home/%d/%u
fallback_homedir = /home/%d/%u
default_shell = /bin/bash

AD (requires Samba)

First you need to setup Kerberos, configure and join Samba to your domain.

File: /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam

domains = YOURDOMAIN

[nss]
override_homedir = /home/%u
fallback_homedir = /home/%u
default_shell = /bin/bash

[pam]

[domain/YOURDOMAIN]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

ad_server = yourdc.yourdomain.local
ad_domain = YOURDOMAIN.LOCAL
case_sensitive = False

override_homedir = /home/%u
fallback_homedir = /home/%u
default_shell = /bin/bash

Testing

# getent passwd domainuser

has to return a full working passwd entry including uid/guid, home directory and shell to be able to login.

Add additional user groups to existing users

# usermod -a -G wheel,kvm <user>

Documentation

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ad2008-example.html