SSSD

From Omnia
Jump to navigation Jump to search

Install SSSD

sudo apt install sssd-ad sssd-tools realmd adcli

--- 

The following additional packages will be installed:
  ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss
  libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy
Suggested packages:
  libsss-sudo libsasl2-modules-ldap
The following NEW packages will be installed:
  adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss
  libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools
The following packages will be upgraded:
  libldap-2.5-0 libpam-sss

Prestage Machine in AD

Someone with AD permission needs to give your userid permission to join the machine to AD.

Join AD

sudo realm join myad.example.com -U <userid_with_access>

Join with Additional verbosity, and specified computer-name 

sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access>

Leave AD

sudo realm leave myad.example.com

sudo realm join myad.example.com -U <userid_with_access>

Enable PAM mkhomedir

sudo pam-auth-update --enable mkhomedir

Configure /etc/sssd/sssd.conf

[sssd]
domains = myad.example.com
config_file_version = 2
services = nss, pam

[domain/myad.example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYAD.example.com
realmd_tags = manages-system joined-with-adcli
id_provider = ad
ad_domain = myad.example.com
override_homedir = /home/%u
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com)
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = Permissive
ignore_group_members = True

Enable Sudo

sudo vim /etc/sudoers
  • add individuals or groups from AD
  • add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL
  • add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL

Realm Details

sudo realm list

Example: 

$ sudo realm list
myad.example.com
  type: kerberos
  realm-name: MYAD.EXAMPLE.COM
  domain-name: myad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@myad.example.com
  login-policy: allow-realm-logins

Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this: 

 login-formats: %U
 login-policy: allow-realm-logins
 permitted-logins: 123456, 456789
 permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com

Restart Service

sudo systemctl restart sssd

sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd

sudo systemctl status sssd

Check User

getent -s sss passwd [USERID]

getent -s sss passwd 12345@myad.example.com
12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash

id [USERID]

id 12345@myad.example.com
uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........

Clear Cache

sss_cache - sss_cache invalidates records in SSSD cache. Invalidated records are forced to be reloaded from server as soon as related SSSD backend is online. Options that invalidate a single object only accept a single provided argument.

Clear cache: 

# -E means everything
sss_cache -E

ref: https://docs.redhat.com/de/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache#sssd-cache

Cache Size

[nss]
# memcache_size_group = 6
memcache_size_group = 12
# memcache_size_initgroups = 10
memcache_size_initgroups = 20

Files and Folders

DB File: 

/var/lib/sss/db/cache_myad.example.com.ldb

Timestamp file: 

/var/lib/sss/db/timestamps_myad.example.com.ldb

Search/Dump the LDB DB: 

sudo apt install ldb-tools
sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb

Issues

Dynamic DNS update failed

Logs report: 

[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed

Cause:

  • You do not have AD permission to do Dynamic DNS updates

Solution:

  • Disable AD Dynamic DNS updates (or get permissions)

/etc/sssd/sssd.conf 

[domain/DOMAIN_SECTION]
# dyndns_update = True
dyndns_update = False

keywords

Retrieved from "https://aznot.com/index.php?title=SSSD&oldid=8191"