SSSD: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| No edit summary | |||
| (17 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| == Install SSSD == | |||
|  sudo apt install sssd-ad sssd-tools realmd adcli | |||
| --- | |||
| <pre> | |||
| The following additional packages will be installed: | |||
|   ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss | |||
|   libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common | |||
|   sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy | |||
| Suggested packages: | |||
|   libsss-sudo libsasl2-modules-ldap | |||
| The following NEW packages will be installed: | |||
|   adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss | |||
|   libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common | |||
|   sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools | |||
| The following packages will be upgraded: | |||
|   libldap-2.5-0 libpam-sss | |||
| </pre> | |||
| == Prestage Machine in AD == | |||
| Someone with AD permission needs to give your userid permission to join the machine to AD. | |||
| == Join AD == | |||
|  sudo realm join myad.example.com -U <userid_with_access> | |||
| Join with Additional verbosity, and specified computer-name | |||
|  sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access> | |||
| === Leave AD === | |||
|  sudo realm leave myad.example.com | |||
|  sudo realm join myad.example.com -U <userid_with_access> | |||
| == Enable PAM mkhomedir == | |||
|  sudo pam-auth-update --enable mkhomedir | |||
| == Configure /etc/sssd/sssd.conf == | |||
| <pre> | |||
| [sssd] | |||
| domains = myad.example.com | |||
| config_file_version = 2 | |||
| services = nss, pam | |||
| [domain/myad.example.com] | |||
| default_shell = /bin/bash | |||
| krb5_store_password_if_offline = True | |||
| cache_credentials = True | |||
| krb5_realm = MYAD.example.com | |||
| realmd_tags = manages-system joined-with-adcli | |||
| id_provider = ad | |||
| ad_domain = myad.example.com | |||
| override_homedir = /home/%u | |||
| use_fully_qualified_names = False | |||
| ldap_id_mapping = True | |||
| access_provider = ad | |||
| ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com) | |||
| ad_gpo_ignore_unreadable = True | |||
| ad_gpo_access_control = Permissive | |||
| ignore_group_members = True | |||
| </pre> | |||
| == Enable Sudo == | |||
|  sudo vim /etc/sudoers | |||
| * add individuals or groups from AD | |||
| * add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL | |||
| * add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL | |||
| == Realm Details == | |||
|  sudo realm list | |||
| Example: | |||
| <pre> | |||
| $ sudo realm list | |||
| myad.example.com | |||
|   type: kerberos | |||
|   realm-name: MYAD.EXAMPLE.COM | |||
|   domain-name: myad.example.com | |||
|   configured: kerberos-member | |||
|   server-software: active-directory | |||
|   client-software: sssd | |||
|   required-package: sssd-tools | |||
|   required-package: sssd | |||
|   required-package: libnss-sss | |||
|   required-package: libpam-sss | |||
|   required-package: adcli | |||
|   required-package: samba-common-bin | |||
|   login-formats: %U@myad.example.com | |||
|   login-policy: allow-realm-logins | |||
| </pre> | |||
| Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this: | |||
|   login-formats: %U | |||
|   login-policy: allow-realm-logins | |||
|   permitted-logins: 123456, 456789 | |||
|   permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com | |||
| == Restart Service == | == Restart Service == | ||
|   systemctl restart sssd |   sudo systemctl restart sssd | ||
|  sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd | |||
|  sudo systemctl status sssd | |||
| == Check User == | |||
|  getent -s sss passwd [USERID] | |||
|  getent -s sss passwd 12345@myad.example.com | |||
|  12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash | |||
|   id [USERID] | |||
|   id 12345@myad.example.com | |||
|  uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........ | |||
| == Clear Cache == | == Clear Cache == | ||
| Line 14: | Line 132: | ||
|   # -E means everything |   # -E means everything | ||
|   sss_cache -E |   sss_cache -E | ||
| ref: https://docs.redhat.com/de/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache#sssd-cache | |||
| === Cache Size === | |||
| <pre> | |||
| [nss] | |||
| # memcache_size_group = 6 | |||
| memcache_size_group = 12 | |||
| # memcache_size_initgroups = 10 | |||
| memcache_size_initgroups = 20 | |||
| </pre> | |||
| == Files and Folders == | |||
| DB File: | |||
|  /var/lib/sss/db/cache_myad.example.com.ldb | |||
| Timestamp file: | |||
|  /var/lib/sss/db/timestamps_myad.example.com.ldb | |||
| Search/Dump the LDB DB: | |||
|  sudo apt install ldb-tools | |||
|  sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb | |||
| == Issues == | |||
| === Dynamic DNS update failed === | |||
| Logs report: | |||
|  [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed | |||
| Cause: | |||
| * You do not have AD permission to do Dynamic DNS updates | |||
| Solution: | |||
| * Disable AD Dynamic DNS updates (or get permissions) | |||
| /etc/sssd/sssd.conf | |||
|  [domain/DOMAIN_SECTION] | |||
|  # dyndns_update = True | |||
|  dyndns_update = False | |||
| == PBIS == | |||
| See [[BeyondTrust]] / [[PBIS]] | |||
| == keywords == | |||
| [[Category:Linux AD]] | |||
Latest revision as of 05:23, 26 March 2025
Install SSSD
sudo apt install sssd-ad sssd-tools realmd adcli
---
The following additional packages will be installed: ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libldap-2.5-0 libnfsidmap1 libnss-sss libpam-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss sssd sssd-ad-common sssd-common sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy Suggested packages: libsss-sudo libsasl2-modules-ldap The following NEW packages will be installed: adcli ldap-utils libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libnfsidmap1 libnss-sss libpath-utils1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 python3-sss realmd sssd sssd-ad sssd-ad-common sssd-common sssd-dbus sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools The following packages will be upgraded: libldap-2.5-0 libpam-sss
Prestage Machine in AD
Someone with AD permission needs to give your userid permission to join the machine to AD.
Join AD
sudo realm join myad.example.com -U <userid_with_access>
Join with Additional verbosity, and specified computer-name
sudo realm join myad.example.com -v --computer-name <system_name> -U <userid_with_access>
Leave AD
sudo realm leave myad.example.com
sudo realm join myad.example.com -U <userid_with_access>
Enable PAM mkhomedir
sudo pam-auth-update --enable mkhomedir
Configure /etc/sssd/sssd.conf
[sssd] domains = myad.example.com config_file_version = 2 services = nss, pam [domain/myad.example.com] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = MYAD.example.com realmd_tags = manages-system joined-with-adcli id_provider = ad ad_domain = myad.example.com override_homedir = /home/%u use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com) ad_gpo_ignore_unreadable = True ad_gpo_access_control = Permissive ignore_group_members = True
Enable Sudo
sudo vim /etc/sudoers
- add individuals or groups from AD
- add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL
- add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL
Realm Details
sudo realm list
Example:
$ sudo realm list myad.example.com type: kerberos realm-name: MYAD.EXAMPLE.COM domain-name: myad.example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@myad.example.com login-policy: allow-realm-logins
Or if using "simple" provider, with a couple of permitted logins, tail end might show up like this:
login-formats: %U login-policy: allow-realm-logins permitted-logins: 123456, 456789 permitted-groups: somegroup@myad.example.com, othergroup@myad.example.com
Restart Service
sudo systemctl restart sssd
sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd
sudo systemctl status sssd
Check User
getent -s sss passwd [USERID]
getent -s sss passwd 12345@myad.example.com 12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash
id [USERID]
id 12345@myad.example.com uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........
Clear Cache
sss_cache - sss_cache invalidates records in SSSD cache. Invalidated records are forced to be reloaded from server as soon as related SSSD backend is online. Options that invalidate a single object only accept a single provided argument.
Clear cache:
# -E means everything sss_cache -E
Cache Size
[nss] # memcache_size_group = 6 memcache_size_group = 12 # memcache_size_initgroups = 10 memcache_size_initgroups = 20
Files and Folders
DB File:
/var/lib/sss/db/cache_myad.example.com.ldb
Timestamp file:
/var/lib/sss/db/timestamps_myad.example.com.ldb
Search/Dump the LDB DB:
sudo apt install ldb-tools sudo ldbsearch -H /var/lib/sss/db/cache_myad.example.com.ldb
Issues
Dynamic DNS update failed
Logs report:
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
Cause:
- You do not have AD permission to do Dynamic DNS updates
Solution:
- Disable AD Dynamic DNS updates (or get permissions)
/etc/sssd/sssd.conf
[domain/DOMAIN_SECTION] # dyndns_update = True dyndns_update = False
PBIS
See BeyondTrust / PBIS