In this post we will see the hight level steps requried to enable AD authentication on the Linux server with the help of sssd component .
Once the sssd is configured successfully we will be able to list the AD id with its groups in the server just by using normal Linux command id idname . sssd component will query the user related details as well as it can authenticate the with the id passwrod .
here are the high level steps
install all the required dependent component for sssd using yum
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
authconfig --enablesssd --enablesssdauth --update
chkconfig sssd on
Before configre rest of the configuration take the necessary config file that will be modified with the sssd configuration
cp -rp /etc/resolv.conf /etc/resolv.conf_bkp
cp -rp /etc/passwd /etc/passwd_bkp
cp -rp /etc/shadow /etc/shadow_bkp
cp -rp /etc/group /etc/group_bkp
cp -rp /etc/nsswitch.conf /etc/nsswitch.conf_bkp
cp -rp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_bkp
On the AD we should have the HOSTNAME created and the id adjoin that we used to join the server to AD should have necessary permission granted on AD
realm join --user=adjoin ORG.COM
Now server is registered successuflly after above command run without error.
If we want to use SSL for sssd component then we should have the AD root and intermediate certificates .if we dont have then use openssl command that will display the certs . Then we can copy the Certs displayed [ Begin Certifiate to End Certificate ] and form a PEM File that we can refer in sssd.conf file
[root@HOSTNAME certs]# openssl s_client -connect ORG.COM:636 -showcerts </dev/null
CONNECTED(00000003)
++++++here it will display all the server cert ++++++
DONE
modify sssd.conf file manullay . Final content looks like below
[root@HOSTNAME sssd]# cat sssd.conf
[sssd]
domains = ORG.COM
config_file_version = 2
services = nss, pam
[domain/ORG.COM]
ad_domain = org.com
ad_server=org.com
krb5_realm = ORG.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
#ldap_id_use_start_tls = true
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/openldap/certs/orc.cert.pem
ldap_uri = ldaps://org.com
ldap_search_base = dc=org,dc=com
chpass_provider = ad
case_sensitive = False
enumerate = False
enum_cache_timeout = 120
account_cache_expiration = 15
subdomains_provider = none
ad_enable_gc = false
ldap_schema = ad
ldap_user_principal = nosuchattr
ldap_force_upper_case_realm = True
ldap_purge_cache_timeout = 0
ldap_access_order = filter,expire
ldap_account_expire_policy = ad
ldap_use_tokengroups = False
[root@HOSTNAME sssd]#
/etc/openldap/certs/orc.cert.pem file will have the AD root and intermediate certs for SSL authentication or handshake .
Now restart sssd component using systemctl restart sssd
Verify sssd status systemctl status sssd
Finally check the id someadid . it shoud display the id details along with the group details form Active directory .