In this post we will see the hight level steps requried to enable AD authentication on the Linux server with the help of sssd component .
Once the sssd is configured successfully we will be able to list the AD id with its groups in the server just by using normal Linux command id idname . sssd component will query the user related details as well as it can authenticate the with the id passwrod .
here are the high level steps
install all the required dependent component for sssd using yum
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
authconfig --enablesssd --enablesssdauth --update chkconfig sssd on
Before configre rest of the configuration take the necessary config file that will be modified with the sssd configuration
cp -rp /etc/resolv.conf /etc/resolv.conf_bkp cp -rp /etc/passwd /etc/passwd_bkp cp -rp /etc/shadow /etc/shadow_bkp cp -rp /etc/group /etc/group_bkp cp -rp /etc/nsswitch.conf /etc/nsswitch.conf_bkp cp -rp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_bkp
On the AD we should have the HOSTNAME created and the id adjoin that we used to join the server to AD should have necessary permission granted on AD
realm join --user=adjoin ORG.COM
Now server is registered successuflly after above command run without error.
If we want to use SSL for sssd component then we should have the AD root and intermediate certificates .if we dont have then use openssl command that will display the certs . Then we can copy the Certs displayed [ Begin Certifiate to End Certificate ] and form a PEM File that we can refer in sssd.conf file
[root@HOSTNAME certs]# openssl s_client -connect ORG.COM:636 -showcerts </dev/null CONNECTED(00000003) ++++++here it will display all the server cert ++++++ DONE
modify sssd.conf file manullay . Final content looks like below
[root@HOSTNAME sssd]# cat sssd.conf [sssd] domains = ORG.COM config_file_version = 2 services = nss, pam [domain/ORG.COM] ad_domain = org.com ad_server=org.com krb5_realm = ORG.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad #ldap_id_use_start_tls = true #ldap_tls_reqcert = demand #ldap_tls_cacert = /etc/openldap/certs/orc.cert.pem ldap_uri = ldaps://org.com ldap_search_base = dc=org,dc=com chpass_provider = ad case_sensitive = False enumerate = False enum_cache_timeout = 120 account_cache_expiration = 15 subdomains_provider = none ad_enable_gc = false ldap_schema = ad ldap_user_principal = nosuchattr ldap_force_upper_case_realm = True ldap_purge_cache_timeout = 0 ldap_access_order = filter,expire ldap_account_expire_policy = ad ldap_use_tokengroups = False [root@HOSTNAME sssd]#
/etc/openldap/certs/orc.cert.pem file will have the AD root and intermediate certs for SSL authentication or handshake .
Now restart sssd component using systemctl restart sssd
Verify sssd status systemctl status sssd
Finally check the id someadid . it shoud display the id details along with the group details form Active directory .