The post outlines steps to integrate CentOS/RHEL 6 (client) servers into an AD domain with LDAP/Kerberos/SSSD.
1. Install the required packages:
# yum install sssd samba-common krb5-workstation
2. Configure /etc/krb5.conf to resemble the following::
# vi /etc/krb5.conf
[logging]
kdc = SYSLOG:DEBUG
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
EXAMPLE.COM = {
kdc = adserver.example.com
admin_server = adserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
3. Configure /etc/samba/smb.conf to resemble the following:
# vi /etc/samba/smb.conf [global] workgroup = ADGRP realm = EXAMPLE.COM security = ads kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 50 client signing = yes client use spnego = yes idmap config * : backend = tdb password server = adserver.example.com
4. Open a Kerberos ticket as an AD Administrator:
# kinit your-admin-user
5. Join the OL machine to Active Directory and generate a Keytab:
# net ads join createupn=host/adserver.example.com@EXAMPLE.COM -k # net ads keytab create -k
6. Run the following to enable SSSD within /etc/nsswitch.conf and PAM:
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
7. Create /etc/sssd/sssd.conf and set the correct permissions:
# echo > /etc/sssd/sssd.conf # chmod 600 /etc/sssd/sssd.conf
8. Configure /etc/sssd/sssd.conf to resemble the following:
# vi /etc/sssd/sssd.conf [sssd] config_file_version = 2 debug_level = 9 domains = example.com services = nss, pam cache_credentials = true ad_server = adserver.example.com id_provider = ad access_provider = ad [domain/example.com] id_provider = ad debug_level = 9 access_provider = ad override_homedir = /home/%u default_shell = /bin/bash auth_provider = ad chpass_provider = ad ldap_schema = ad cache_credentials = true use_fuly_qualified_domain_name = true ad_enable_gc = false
9. Restart the SSSD service for the changes to take effect.
# service sssd restart
Notes
SSSD’s id mapping is identical to Winbind’s autorid for which it uses the same algorithm to generate locally-cached UIDs and GIDs based off of an LDAP Object’s SID attribute, so that all machines using SSSD with id mapping are consistent in UID and GID identifiers.
In case your Active Directory environment contains POSIX attributes instead of only usernames and SIDs, you can use the following additional configurations within the [domain] section of
ldap_id_mapping = false
You can also override Shell and Home Directory attribute information by changing fallback_homedir and default_shell to override_homedir and override_shell. The ‘fallback‘ and ‘default‘ options will only be used if this information is not returned from AD. However, the ‘override’ options will override whatever AD returns, regardless.
Also note, that anytime you make significant changes such as this to SSSD or are not sure if local SSSD cache should be regenerated, always run the following afterwards:
# service sssd stop # rm -rf /var/log/sssd/* # rm -rf /var/lib/sss/db/* # service sssd start