SUSE Manager 5.0.1 SSSD/PAM

For anyone trying to get SSSD/PAM going in SUMA 5

Just spent last week trying to get SSSD and pam integration working in Suma 5.0.1 and the Micro OS.

For sssd/pam the integration with Suse Manager take the following steps:
Make sure these lines are added to your sssd.conf (your keytab should be on persistent storage):

krb5_keytab = /etc/rhn/krb5.keytab
ad_gpo_map_permit = +susemanager

In krb5.conf change the default_ccache_name from KEYRING to FILE because that doesn’t work in the container, and add the location of the keytab:

default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_keytab_name = FILE:/etc/rhn/krb5.keytab

Move the krb5.conf to /etc/rhn/krb5.conf and create a softlink for the /etc/krb5.conf
ln -s /etc/rhn/lrb5.conf /etc/krb.conf
(keep in mind that this is not persistant, should be fixed in upcoming release)

Join the AD with:

adcli join -R [domain] -U [join user] -K /etc/rhn/krb5.keytab

Restart suma:

spacewalk-service restart

Create an AD user in Suma, and you should be able to logon with that

Regarding SLE Micro 5.5:
Install the required packages:

transactional-update pkg install adcli sssd  sssd-ad samba-client-libs sssd-krb5-common

and reboot the server

Create the sssd.conf and krb5.conf and start SSSD
(best examples are at https://www.suse.com/support/kb/doc/?id=000018831)

Because the selinux policies aren’t available we have to do some SELinux fixes:

setsebool -P kerberos_enabled 1
ausearch -c 'ldap_child' --raw | audit2allow -M my-ldapchild
ausearch -c 'sssd' --raw | audit2allow -M my-sssd
semodule -X 300 -i my-ldapchild.pp
semodule -X 300 -i my-sssd.pp

Just to be sure stop de sssd service and cleanup the database and log:

systemctl stop sssd;rm -f /var/lib/sss/db/*; rm -f /var/log/sssd/*

Now enable and start sssd and you should be good to go
systemctl enable --now sssd.service

Thanks for your insights.
I’m currently struggling configuring sssd on SLESMicro using Kerberos authentication without joining a domain, by using

auth_provider = krb5

But sssd starts with error

[dp_module_open_lib] (0x0010): Unable to load module [krb5] with path [/usr/lib64/sssd/libsss_krb5.so]: /usr/lib64/sssd/libsss_krb5.so: cannot open shared object file: No such file or directory

But i can’t find a package with this library (only libsss_krb5_common.so)
Installed components currently:

sssd-common-2.5.2-150500.10.22.2.x86_64
sssd-ad-2.5.2-150500.10.22.2.x86_64
sssd-ldap-2.5.2-150500.10.22.2.x86_64
sssd-2.5.2-150500.10.22.2.x86_64
sssd-krb5-common-2.5.2-150500.10.22.2.x86_64

Would this be possible?