The post outlines steps to integrate CentOS/RHEL 6 (client) servers into an AD domain with LDAP/Kerberos/SSSD.
1. Install the required packages:
# yum install sssd samba-common krb5-workstation
2. Configure /etc/krb5.conf to resemble the following::
# vi /etc/krb5.conf [logging] kdc = SYSLOG:DEBUG default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow_weak_crypto = true [realms] EXAMPLE.COM = { kdc = adserver.example.com admin_server = adserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
3. Configure /etc/samba/smb.conf to resemble the following:
# vi /etc/samba/smb.conf [global] workgroup = ADGRP realm = EXAMPLE.COM security = ads kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 50 client signing = yes client use spnego = yes idmap config * : backend = tdb password server = adserver.example.com
4. Open a Kerberos ticket as an AD Administrator:
# kinit your-admin-user
5. Join the OL machine to Active Directory and generate a Keytab:
# net ads join createupn=host/adserver.example.com@EXAMPLE.COM -k # net ads keytab create -k
6. Run the following to enable SSSD within /etc/nsswitch.conf and PAM:
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
7. Create /etc/sssd/sssd.conf and set the correct permissions:
# echo > /etc/sssd/sssd.conf # chmod 600 /etc/sssd/sssd.conf
8. Configure /etc/sssd/sssd.conf to resemble the following:
# vi /etc/sssd/sssd.conf [sssd] config_file_version = 2 debug_level = 9 domains = example.com services = nss, pam cache_credentials = true ad_server = adserver.example.com id_provider = ad access_provider = ad [domain/example.com] id_provider = ad debug_level = 9 access_provider = ad override_homedir = /home/%u default_shell = /bin/bash auth_provider = ad chpass_provider = ad ldap_schema = ad cache_credentials = true use_fuly_qualified_domain_name = true ad_enable_gc = false
9. Restart the SSSD service for the changes to take effect.
# service sssd restart
Notes
SSSD’s id mapping is identical to Winbind’s autorid for which it uses the same algorithm to generate locally-cached UIDs and GIDs based off of an LDAP Object’s SID attribute, so that all machines using SSSD with id mapping are consistent in UID and GID identifiers.
In case your Active Directory environment contains POSIX attributes instead of only usernames and SIDs, you can use the following additional configurations within the [domain] section of
ldap_id_mapping = false
You can also override Shell and Home Directory attribute information by changing fallback_homedir and default_shell to override_homedir and override_shell. The ‘fallback‘ and ‘default‘ options will only be used if this information is not returned from AD. However, the ‘override’ options will override whatever AD returns, regardless.
Also note, that anytime you make significant changes such as this to SSSD or are not sure if local SSSD cache should be regenerated, always run the following afterwards:
# service sssd stop # rm -rf /var/log/sssd/* # rm -rf /var/lib/sss/db/* # service sssd start