The Geek Diary

CONCEPTS | BASICS | HOWTO

How to Integrate CentOS/RHEL system into an AD Domain with LDAP/Kerberos/SSSD

By

The post outlines steps to integrate CentOS/RHEL 6 (client) servers into an AD domain with LDAP/Kerberos/SSSD.

1. Install the required packages:

# yum install sssd samba-common krb5-workstation
Note: Make sure NTP is running and working as expected and add your AD server in /etc/hosts

2. Configure /etc/krb5.conf to resemble the following::

# vi /etc/krb5.conf
[logging]
kdc = SYSLOG:DEBUG
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realms]
EXAMPLE.COM = {
kdc = adserver.example.com
admin_server = adserver.example.com

}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

3. Configure /etc/samba/smb.conf to resemble the following:

# vi /etc/samba/smb.conf
[global]
workgroup = ADGRP
realm = EXAMPLE.COM
security = ads
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client use spnego = yes
idmap config * : backend = tdb
password server = adserver.example.com

4. Open a Kerberos ticket as an AD Administrator:

# kinit your-admin-user
Note: Make sure to remove old key in case that is presented. : “rm /etc/krb5.keytab”

5. Join the OL machine to Active Directory and generate a Keytab:

# net ads join createupn=host/adserver.example.com@EXAMPLE.COM -k
# net ads keytab create -k

6. Run the following to enable SSSD within /etc/nsswitch.conf and PAM:

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

7. Create /etc/sssd/sssd.conf and set the correct permissions:

# echo > /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

8. Configure /etc/sssd/sssd.conf to resemble the following:

# vi /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 9
domains = example.com
services = nss, pam
cache_credentials = true
ad_server = adserver.example.com
id_provider = ad
access_provider = ad

[domain/example.com]
id_provider = ad
debug_level = 9
access_provider = ad
override_homedir = /home/%u
default_shell = /bin/bash
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
cache_credentials = true
use_fuly_qualified_domain_name = true
ad_enable_gc = false

9. Restart the SSSD service for the changes to take effect.

# service sssd restart

Notes

SSSD’s id mapping is identical to Winbind’s autorid for which it uses the same algorithm to generate locally-cached UIDs and GIDs based off of an LDAP Object’s SID attribute, so that all machines using SSSD with id mapping are consistent in UID and GID identifiers.

In case your Active Directory environment contains POSIX attributes instead of only usernames and SIDs, you can use the following additional configurations within the [domain] section of /etc/sssd/sssd.conf to disable id_mapping:

ldap_id_mapping = false

You can also override Shell and Home Directory attribute information by changing fallback_homedir and default_shell to override_homedir and override_shell. The ‘fallback‘ and ‘default‘ options will only be used if this information is not returned from AD. However, the ‘override’ options will override whatever AD returns, regardless.

Also note, that anytime you make significant changes such as this to SSSD or are not sure if local SSSD cache should be regenerated, always run the following afterwards:

# service sssd stop
# rm -rf /var/log/sssd/*
# rm -rf /var/lib/sss/db/*
# service sssd start

You May Also Like