SSSD: Difference between revisions
Jump to navigation
Jump to search
(→Issues) |
|||
Line 87: | Line 87: | ||
getent -s sss passwd 12345@myad.example.com | getent -s sss passwd 12345@myad.example.com | ||
12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash | 12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash | ||
id [USERID] | |||
id 12345@myad.example.com | |||
uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........ | |||
== Clear Cache == | == Clear Cache == |
Revision as of 19:18, 30 November 2024
Install SSSD
sudo apt install sssd-ad sssd-tools realmd adcli
Prestage Machine in AD
Someone with AD permission needs to give your userid permission to join the machine to AD.
Join AD
sudo realm join myad.example.com -U <userid_with_access>
Enable PAM mkhomedir
sudo pam-auth-update --enable mkhomedir
Configure /etc/sssd/sssd.conf
[sssd] domains = myad.example.com config_file_version = 2 services = nss, pam [domain/myad.example.com] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = MYAD.example.com realmd_tags = manages-system joined-with-adcli id_provider = ad ad_domain = myad.example.com override_homedir = /home/%u use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad ad_access_filter = DOM:myad.example.com:(memberOf=CN=<ad group name>,OU=user-managed,OU=security,OU=groups,OU=usersandgroups,OU=accounts,DC=myad,DC=example,DC=com) ad_gpo_ignore_unreadable = True ad_gpo_access_control = Permissive ignore_group_members = True
Enable Sudo
sudo vim /etc/sudoers
- add individuals or groups from AD
- add line for individual like: MYAD\<employee-#> ALL=(ALL:ALL) ALL
- add line for group like: %MYAD\<myad.group> ALL=(ALL:ALL) ALL
Realm Details
sudo realm list
Example:
$ sudo realm list myad.example.com type: kerberos realm-name: MYAD.EXAMPLE.COM domain-name: myad.example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@myad.example.com login-policy: allow-realm-logins
Restart Service
sudo systemctl restart sssd
sudo systemctl stop sssd ; sleep 3 ; sudo systemctl start sssd
sudo systemctl status sssd
Check User
getent -s sss passwd [USERID]
getent -s sss passwd 12345@myad.example.com 12345:*:1455846733:1356800513:My User:/home/12345:/bin/bash
id [USERID]
id 12345@myad.example.com uid=1395846733(12345@myad.example.com) gid=1395800513(domain users@myad.example.com) groups=1395800513(domain users@myad.example.com),........
Clear Cache
sss_cache - sss_cache invalidates records in SSSD cache. Invalidated records are forced to be reloaded from server as soon as related SSSD backend is online. Options that invalidate a single object only accept a single provided argument.
Clear cache:
# -E means everything sss_cache -E
Files and Folders
DB File:
/var/lib/sss/db/cache_myad.example.com.ldb
Timestamp file:
/var/lib/sss/db/timestamps_myad.example.com.ldb
Issues
Dynamic DNS update failed
Logs report:
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
Cause:
- You do not have AD permission to do Dynamic DNS updates
Solution:
- Disable AD Dynamic DNS updates (or get permissions)
/etc/sssd/sssd.conf
[domain/DOMAIN_SECTION] # dyndns_update = True dyndns_update = False