SSSD: Difference between revisions
Jump to navigation
Jump to search
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Install SSSD == | |||
sudo apt install sssd-ad sssd-tools realmd adcli | |||
--- | |||
<pre> | |||
The following additional packages will be installed: | |||
ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss | |||
libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common | |||
sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy | |||
Suggested packages: | |||
libsss-sudo libsasl2-modules-ldap | |||
The following NEW packages will be installed: | |||
adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss | |||
libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common | |||
sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools | |||
The following packages will be upgraded: | |||
libldap-2.5-0 libpam-sss | |||
</pre> | |||
== Prestage Machine in AD == | |||
Someone with AD permission needs to give your userid permission to join the machine to AD. | |||
== Join AD == | |||
sudo realm join myad.example.com -U <userid_with_access> | |||
Join with Additional verbosity, and specified computer-name | |||
sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access> | |||
=== Leave AD === | |||
sudo realm leave myad.example.com | |||
sudo realm join myad.example.com -U <userid_with_access> | |||
== Enable PAM mkhomedir == | |||
sudo pam-auth-update --enable mkhomedir | |||
== Configure /etc/sssd/sssd.conf == | |||
<pre> | |||
[sssd] | |||
domains = myad.example.com | |||
config_file_version = 2 | |||
services = nss, pam | |||
[domain/myad.example.com] | |||
default_shell = /bin/bash | |||
krb5_store_password_if_offline = True | |||
cache_credentials = True | |||
krb5_realm = MYAD.example.com | |||
realmd_tags = manages-system joined-with-adcli | |||
id_provider = ad | |||
ad_domain = myad.example.com | |||
override_homedir = /home/%u | |||
use_fully_qualified_names = False | |||
ldap_id_mapping = True | |||
access_provider = ad | |||
ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com) | |||
ad_gpo_ignore_unreadable = True | |||
ad_gpo_access_control = Permissive | |||
ignore_group_members = True | |||
</pre> | |||
== Enable Sudo == | |||
sudo vim /etc/sudoers | |||
* add individuals or groups from AD | |||
* add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL | |||
* add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL | |||
== Realm Details == | == Realm Details == | ||
Line 6: | Line 82: | ||
<pre> | <pre> | ||
$ sudo realm list | $ sudo realm list | ||
myad.example.com | |||
type: kerberos | type: kerberos | ||
realm-name: | realm-name: MYAD.EXAMPLE.COM | ||
domain-name: | domain-name: myad.example.com | ||
configured: kerberos-member | configured: kerberos-member | ||
server-software: active-directory | server-software: active-directory | ||
Line 19: | Line 95: | ||
required-package: adcli | required-package: adcli | ||
required-package: samba-common-bin | required-package: samba-common-bin | ||
login-formats: %U@ | login-formats: %U@myad.example.com | ||
login-policy: allow-realm-logins | login-policy: allow-realm-logins | ||
</pre> | </pre> | ||
Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this: | |||
login-formats: %U | |||
login-policy: allow-realm-logins | |||
permitted-logins: 123456, 456789 | |||
permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com | |||
== Restart Service == | == Restart Service == | ||
Line 30: | Line 112: | ||
sudo systemctl status sssd | sudo systemctl status sssd | ||
== Check User == | |||
getent -s sss passwd [USERID] | |||
getent -s sss passwd 12345@myad.example.com | |||
12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash | |||
id [USERID] | |||
id 12345@myad.example.com | |||
uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........ | |||
== Clear Cache == | == Clear Cache == | ||
Line 38: | Line 132: | ||
# -E means everything | # -E means everything | ||
sss_cache -E | sss_cache -E | ||
ref: https://docs.redhat.com/de/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache#sssd-cache | |||
=== Cache Size === | |||
<pre> | |||
[nss] | |||
# memcache_size_group = 6 | |||
memcache_size_group = 12 | |||
# memcache_size_initgroups = 10 | |||
memcache_size_initgroups = 20 | |||
</pre> | |||
== Files and Folders == | |||
DB File: | |||
/var/lib/sss/db/cache_myad.example.com.ldb | |||
Timestamp file: | |||
/var/lib/sss/db/timestamps_myad.example.com.ldb | |||
Search/Dump the LDB DB: | |||
sudo apt install ldb-tools | |||
sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb | |||
== Issues == | == Issues == | ||
Line 56: | Line 174: | ||
# dyndns_update = True | # dyndns_update = True | ||
dyndns_update = False | dyndns_update = False | ||
== keywords == |
Latest revision as of 23:19, 1 December 2024
Install SSSD
sudo apt install sssd-ad sssd-tools realmd adcli
---
The following additional packages will be installed: ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy Suggested packages: libsss-sudo libsasl2-modules-ldap The following NEW packages will be installed: adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools The following packages will be upgraded: libldap-2.5-0 libpam-sss
Prestage Machine in AD
Someone with AD permission needs to give your userid permission to join the machine to AD.
Join AD
sudo realm join myad.example.com -U <userid_with_access>
Join with Additional verbosity, and specified computer-name
sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access>
Leave AD
sudo realm leave myad.example.com
sudo realm join myad.example.com -U <userid_with_access>
Enable PAM mkhomedir
sudo pam-auth-update --enable mkhomedir
Configure /etc/sssd/sssd.conf
[sssd] domains = myad.example.com config_file_version = 2 services = nss, pam [domain/myad.example.com] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = MYAD.example.com realmd_tags = manages-system joined-with-adcli id_provider = ad ad_domain = myad.example.com override_homedir = /home/%u use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com) ad_gpo_ignore_unreadable = True ad_gpo_access_control = Permissive ignore_group_members = True
Enable Sudo
sudo vim /etc/sudoers
- add individuals or groups from AD
- add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL
- add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL
Realm Details
sudo realm list
Example:
$ sudo realm list myad.example.com type: kerberos realm-name: MYAD.EXAMPLE.COM domain-name: myad.example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@myad.example.com login-policy: allow-realm-logins
Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this:
login-formats: %U login-policy: allow-realm-logins permitted-logins: 123456, 456789 permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com
Restart Service
sudo systemctl restart sssd
sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd
sudo systemctl status sssd
Check User
getent -s sss passwd [USERID]
getent -s sss passwd 12345@myad.example.com 12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash
id [USERID]
id 12345@myad.example.com uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........
Clear Cache
sss_cache - sss_cache invalidates records in SSSD cache. Invalidated records are forced to be reloaded from server as soon as related SSSD backend is online. Options that invalidate a single object only accept a single provided argument.
Clear cache:
# -E means everything sss_cache -E
Cache Size
[nss] # memcache_size_group = 6 memcache_size_group = 12 # memcache_size_initgroups = 10 memcache_size_initgroups = 20
Files and Folders
DB File:
/var/lib/sss/db/cache_myad.example.com.ldb
Timestamp file:
/var/lib/sss/db/timestamps_myad.example.com.ldb
Search/Dump the LDB DB:
sudo apt install ldb-tools sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb
Issues
Dynamic DNS update failed
Logs report:
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
Cause:
- You do not have AD permission to do Dynamic DNS updates
Solution:
- Disable AD Dynamic DNS updates (or get permissions)
/etc/sssd/sssd.conf
[domain/DOMAIN_SECTION] # dyndns_update = True dyndns_update = False