SSSD: Difference between revisions

From Omnia
Jump to navigation Jump to search
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Install SSSD ==
sudo apt install sssd-ad sssd-tools realmd adcli
---
<pre>
The following additional packages will be installed:
  ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss
  libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy
Suggested packages:
  libsss-sudo libsasl2-modules-ldap
The following NEW packages will be installed:
  adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss
  libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools
The following packages will be upgraded:
  libldap-2.5-0 libpam-sss
</pre>
== Prestage Machine in AD ==
Someone with AD permission needs to give your userid permission to join the machine to AD.
== Join AD ==
sudo realm join myad.example.com -U <userid_with_access>
Join with Additional verbosity, and specified computer-name
sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access>
=== Leave AD ===
sudo realm leave myad.example.com
sudo realm join myad.example.com -U <userid_with_access>
== Enable PAM mkhomedir ==
sudo pam-auth-update --enable mkhomedir
== Configure /etc/sssd/sssd.conf ==
<pre>
[sssd]
domains = myad.example.com
config_file_version = 2
services = nss, pam
[domain/myad.example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYAD.example.com
realmd_tags = manages-system joined-with-adcli
id_provider = ad
ad_domain = myad.example.com
override_homedir = /home/%u
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com)
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = Permissive
ignore_group_members = True
</pre>
== Enable Sudo ==
sudo vim /etc/sudoers
* add individuals or groups from AD
* add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL
* add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL
== Realm Details ==
sudo realm list
Example:
<pre>
$ sudo realm list
myad.example.com
  type: kerberos
  realm-name: MYAD.EXAMPLE.COM
  domain-name: myad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@myad.example.com
  login-policy: allow-realm-logins
</pre>
Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this:
  login-formats: %U
  login-policy: allow-realm-logins
  permitted-logins: 123456, 456789
  permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com
== Restart Service ==
== Restart Service ==


  systemctl restart sssd
  sudo systemctl restart sssd
 
sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd
 
sudo systemctl status sssd


systemctl stop sssd ; sleep 2 ; systemctl start ssd
== Check User ==


  systemctl status sssd
  getent -s sss passwd [USERID]
 
getent -s sss passwd 12345@myad.example.com
12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash
 
id [USERID]
 
id 12345@myad.example.com
uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........


== Clear Cache ==
== Clear Cache ==
Line 14: Line 132:
  # -E means everything
  # -E means everything
  sss_cache -E
  sss_cache -E
ref: https://docs.redhat.com/de/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache#sssd-cache
=== Cache Size ===
<pre>
[nss]
# memcache_size_group = 6
memcache_size_group = 12
# memcache_size_initgroups = 10
memcache_size_initgroups = 20
</pre>
== Files and Folders ==
DB File:
/var/lib/sss/db/cache_myad.example.com.ldb
Timestamp file:
/var/lib/sss/db/timestamps_myad.example.com.ldb
Search/Dump the LDB DB:
sudo apt install ldb-tools
sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb


== Issues ==
== Issues ==
=== Dynamic DNS update failed ===


Logs report:
Logs report:
  [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
  [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
Cause:
* You do not have AD permission to do Dynamic DNS updates


Solution:
Solution:
* disable AD Dynamic DNS updates
* Disable AD Dynamic DNS updates (or get permissions)


/etc/sssd/sssd.conf
/etc/sssd/sssd.conf
Line 27: Line 174:
  # dyndns_update = True
  # dyndns_update = True
  dyndns_update = False
  dyndns_update = False
== keywords ==

Latest revision as of 23:19, 1 December 2024

Install SSSD

sudo apt install sssd-ad sssd-tools realmd adcli

---

The following additional packages will be installed:
  ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss
  libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy
Suggested packages:
  libsss-sudo libsasl2-modules-ldap
The following NEW packages will be installed:
  adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss
  libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common
  sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools
The following packages will be upgraded:
  libldap-2.5-0 libpam-sss

Prestage Machine in AD

Someone with AD permission needs to give your userid permission to join the machine to AD.

Join AD

sudo realm join myad.example.com -U <userid_with_access>

Join with Additional verbosity, and specified computer-name

sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access>

Leave AD

sudo realm leave myad.example.com
sudo realm join myad.example.com -U <userid_with_access>

Enable PAM mkhomedir

sudo pam-auth-update --enable mkhomedir

Configure /etc/sssd/sssd.conf

[sssd]
domains = myad.example.com
config_file_version = 2
services = nss, pam

[domain/myad.example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYAD.example.com
realmd_tags = manages-system joined-with-adcli
id_provider = ad
ad_domain = myad.example.com
override_homedir = /home/%u
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com)
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = Permissive
ignore_group_members = True

Enable Sudo

sudo vim /etc/sudoers
  • add individuals or groups from AD
  • add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL
  • add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL

Realm Details

sudo realm list

Example:

$ sudo realm list
myad.example.com
  type: kerberos
  realm-name: MYAD.EXAMPLE.COM
  domain-name: myad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@myad.example.com
  login-policy: allow-realm-logins

Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this:

 login-formats: %U
 login-policy: allow-realm-logins
 permitted-logins: 123456, 456789
 permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com

Restart Service

sudo systemctl restart sssd
sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd
sudo systemctl status sssd

Check User

getent -s sss passwd [USERID]
getent -s sss passwd 12345@myad.example.com
12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash
id [USERID]
id 12345@myad.example.com
uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........

Clear Cache

sss_cache - sss_cache invalidates records in SSSD cache. Invalidated records are forced to be reloaded from server as soon as related SSSD backend is online. Options that invalidate a single object only accept a single provided argument.

Clear cache:

# -E means everything
sss_cache -E

ref: https://docs.redhat.com/de/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache#sssd-cache

Cache Size

[nss]
# memcache_size_group = 6
memcache_size_group = 12
# memcache_size_initgroups = 10
memcache_size_initgroups = 20

Files and Folders

DB File:

/var/lib/sss/db/cache_myad.example.com.ldb

Timestamp file:

/var/lib/sss/db/timestamps_myad.example.com.ldb

Search/Dump the LDB DB:

sudo apt install ldb-tools
sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb

Issues

Dynamic DNS update failed

Logs report:

[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed

Cause:

  • You do not have AD permission to do Dynamic DNS updates

Solution:

  • Disable AD Dynamic DNS updates (or get permissions)

/etc/sssd/sssd.conf

[domain/DOMAIN_SECTION]
# dyndns_update = True
dyndns_update = False

keywords