ruination,
Note the following instructions, especially concerning whether you are reading posix attributes from AD or generating them dynamically.
-
Configure the hostname on the linux server to be used for the computer object in AD.
-
Provision forward and reverse lookup DNS records in the DNS service used by the target Windows domain using the configured hostname.
-
Verify DNS and time sync sources for the linux box are the same as used for the target Windows domain and are both working properly (extremely important!). Kerberos operations and the AD autodiscovery and DNS features of the AD provider will benefot greatly from both working crrectly/
-
Install the kerberos client, samba and SSSD packages:
krb5
krb5-32bit
krb5-client
samba
samba-32bit
samba-client
samba-client-32bit
Technically the kerberos and samba (samba is only required for domain joining really) are not required but assist in troubleshooting kerberos, AD connectivity and GSSAPI issues out of band from SSSD.
sssd
sssd-ad
python-sssd-config
sssd-tools (recommended)
- Configure the kerberos and samba clients manually and join the server to the domain. Although YaST can be used to perform all of these tasks, if the right options are not chosen YaST will also configure and implement the pam_krb5, pam_ldap, possibly the winbind module and their related PAM configurations. None of which are required when the SSSD AD provider is used.
/etc/krb5.conf:
[libdefaults]
default_realm = <WINDOWS_DOMAIN_FQDN>
clockskew = 300
[realms]
DVC.DARKVIXEN.COM = {
kdc = <Windows_KDC_server.something.com>
default_domain = <windows_domain_fqdn>
admin_server = <Windows_ADMIN/KDC_server.something.com>
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.dvc.darkvixen.com = DVC.DARKVIXEN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 10000
clockskew = 300
external = sshd
use_shmem = sshd
}
** “minimum_uid =” depends on the SSSD id mapping settings used (see more info below) and the settings used by Identity Management for Unix configuration for the AD instance. If this does not apply, omit the directive.
/etc/samba/smb.conf:
Modify the [GLOBAL] section as described.
[global]
workgroup = <COMPUTER_WORKGROUP>
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
kerberos method = secrets and keytab
realm = <WINDOWS_DOMAIN_FQDN>
security = ADS
client use spnego = yes
template homedir = /home/%D/%U
Initiate a kerberos connection using an account that can perform the domain joining operations and join the domain:
kinit <PRIVELEDGED_ACCOUNT>
View that a kerberos ticket granting ticket was granted:
klist
Join the domain and create a keytab file
net ads join -k
Verify the join and AD connectivity
net ads testjoin
net ads info
- Invoke the YaST authentication client module
yast auth-client
Add a new SSSD domain using the FQDN of the target domain for the name and select ad as the identity and authentication provider. The resultant /etc/sssd/sssd.conf will be very basic but should work if you are using dynamic id mapping. Meaning that the posix attributes are not being read from AD.
If the posix attributes are to be read from AD implement a sssd.conf file similar to the one below, delete the cache files in the /var/lib/sss/db directory and restart the daemon.
If you start with a id mapping configuration, which is the default, you will have to delete the cache files before the new configuration that disables id mapping will work.
[sssd]
config_file_version = 2
services = nss, pam
domains = <WINDOWS_DOMAIN_FQDN>
[nss]
filter_users = root
filter_groups = root
[pam]
reconnection_retries = 3
[domain/<WINDOWS_DOMAIN_FQDN>]
cache_credentials = True
id_provider = ad
auth_provider = ad
ldap_id_mapping = False
This is a basic config should get you up and going. If home directories will be used it is recommended to implement them using a new path, like /home/<WINDOWS_DOMAIN_FQDN> and include the following directive in the domain configuration stanza:
override_homedir = /home/%d/%u
After creating the /home/<WINDOWS_DOMAIN_FQDN> path this will redirect home directories to the new path.
Be sure to enable home directory creation on user login by issuing the following command as root:
pam-config --query --mkhomedir
Host level access control using group membership can be accomplished by adding the following directives to the domain configuration stanza:
access_provider = ad
ad_access_filter = DOM:<WINDOWS_DOMAIN_FQDN>:(memberOf=<GROUP_LDAP_FDN>)
To ensure the kerberos, ldap and winbind PAM modules are not being loaded disable them with the following commands:
pam-config --delete --ldap
pam-config --delete --krb5
pam-config --delete --winbind
Hope this helps and let me if I can assist further,
– lawrence