For anyone trying to get SSSD/PAM going in SUMA 5
Just spent last week trying to get SSSD and pam integration working in Suma 5.0.1 and the Micro OS.
For sssd/pam the integration with Suse Manager take the following steps:
Make sure these lines are added to your sssd.conf (your keytab should be on persistent storage):
krb5_keytab = /etc/rhn/krb5.keytab
ad_gpo_map_permit = +susemanager
In krb5.conf change the default_ccache_name from KEYRING to FILE because that doesn’t work in the container, and add the location of the keytab:
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_keytab_name = FILE:/etc/rhn/krb5.keytab
Move the krb5.conf to /etc/rhn/krb5.conf and create a softlink for the /etc/krb5.conf
ln -s /etc/rhn/lrb5.conf /etc/krb.conf
(keep in mind that this is not persistant, should be fixed in upcoming release)
Join the AD with:
adcli join -R [domain] -U [join user] -K /etc/rhn/krb5.keytab
Restart suma:
spacewalk-service restart
Create an AD user in Suma, and you should be able to logon with that
Regarding SLE Micro 5.5:
Install the required packages:
transactional-update pkg install adcli sssd sssd-ad samba-client-libs sssd-krb5-common
and reboot the server
Create the sssd.conf and krb5.conf and start SSSD
(best examples are at https://www.suse.com/support/kb/doc/?id=000018831)
Because the selinux policies aren’t available we have to do some SELinux fixes:
setsebool -P kerberos_enabled 1
ausearch -c 'ldap_child' --raw | audit2allow -M my-ldapchild
ausearch -c 'sssd' --raw | audit2allow -M my-sssd
semodule -X 300 -i my-ldapchild.pp
semodule -X 300 -i my-sssd.pp
Just to be sure stop de sssd service and cleanup the database and log:
systemctl stop sssd;rm -f /var/lib/sss/db/*; rm -f /var/log/sssd/*
Now enable and start sssd and you should be good to go
systemctl enable --now sssd.service