Trace: sssd_ldap

RHEL 7 Active Directory LDAP with SSSD

Table of Contents

Configure DNS with Active Directory IP address. 

nmcli con mod eth0 ipv4.dns-search dominio.local
hostnamectl set-hostname ldap.dominio.local
yum install sssd realmd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation sssd-ad
realm join dominio.local
authconfig --update --enablesssd --enablesssdauth --enablemkhomedir

RHEL 6

You must have configured NTP and DNS.

File /etc/hosts correctly configure for example: 

192.168.75.166 servidor servidor.2008r2.example.com

Install packages: 

yum install ntp sssd samba-common krb5-workstation

Edit /etc/krb5.conf: 

includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = 2008R2.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 2008R2.EXAMPLE.COM = {
 }

[domain_realm]
 .2008r2.example.com = 2008R2.EXAMPLE.COM
 2008r2.example.com = 2008R2.EXAMPLE.COM

Edit /etc/samba/smb.conf: 

[global]
   workgroup = 2008R2
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   realm = 2008R2.EXAMPLE.COM
   security = ads

Create kerberos ticket: 

kinit Administrator
net ads join -k
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

Create /etc/sssd/sssd.conf: 

echo >/etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf

With this content: 

[domain/2008r2.example.com]
id_provider = ad
access_provider = ad
default_shell=/bin/bash
fallback_homedir=/home/%u
debug_level = 0

[sssd]
services = nss, pam
config_file_version = 2
domains = 2008r2.example.com

[nss]

[pam]

Restart sssd: 

service sssd restart

AD user access filter

Edit /etc/sssd/sssd.conf and configure in a similar way: 

access_provider = simple
simple_allow_users = user1,user2

Restart sssd: 

systemctl restart sssd

AD groups access filter

Edit /etc/sssd/sssd.conf and configure in a similar way: 

access_provider = simple
simple_allow_groups = [email protected],[email protected]

Restart sssd: 

systemctl restart sssd

Configure AD groups with sudo

Use visudo to add this lines: 

%[email protected]     ALL=(ALL)       ALL

Configure home dir

Change line: 

fallback_homedir=/home/%u@%d

Referencias

sssd_ldap.txt · Last modified: 2019/04/04 14:20
Public Domain Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain