Authenticate Linux (RedHat 6) within Active Directory (AD) domain using SSSD

This memo was tested on RH6 64bit.

Software

Install following packages: 

# yum install sssd samba-common.x86_64 krb5-workstation openldap-clients

Join to domain

Create /etc/krb5.conf as following: 

[logging]
 default = FILE:/var/log/krb5libs.log

[libdefaults]
 default_realm = EXAMPLE.DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.DOMAIN.COM = {
  kdc = pdc.example.domain.com
  admin_server = pdc.example.domain.com
 }

[domain_realm]
 .example.domain.com = EXAMPLE.DOMAIN.COM
 example.domain.com = EXAMPLE.DOMAIN.COM

Create /etc/samba/smb.conf as following: 

[global]
   workgroup = MYDOMAIN
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   realm = EXAMPLE.DOMAIN.COM
   security = ads

Test comfiguration with testparm command. Join to domain: 

# net ads join -U _YOUR_USERNAME_ createcomputer="SRV/UNIX"

Replace _YOUR_USERNAME_ with your user. "SRV/UNIX" option will create computer account in "OU=UNIX,OU=SRV,DC=EXAMPLE,DC=DOMAIN,DC=COM" container. It is usefull if your account limited to this container only.

Check with net ads status -U _YOUR_USERNAME_ result of join.

Check with klist -ke that Kerberous keytab created successfully.

Conifugre SSSD

Create /etc/sssd/sssd.conf as following: 

[sssd]                                            
config_file_version = 2                           
domains = example.domain.com                            
services = nss, pam                               
;debug_level = 4                                  

[nss]

[pam]

[domain/example.domain.com]
access_provider = ldap
auth_provider = krb5
cache_credentials = true
chpass_provider = krb5
enumerate = false
id_provider = ldap
krb5_canonicalize = false
krb5_realm = EXAMPLE.DOMAIN.COM
ldap_access_order = expire
;ldap_access_order = expire,filter
;ldap_access_filter = (|(gidNumber=1000)(gidNumber=1500))
;ldap_access_filter = (gidNumber=1000)
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_group_gid_number = gidNumber
ldap_group_name = cn
ldap_group_object_class = group
ldap_group_search_base = DC=EXAMPLE,DC=DOMAIN,DC=COM
ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_user_gecos = gecos
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_search_base = DC=EXAMPLE,DC=DOMAIN,DC=COM
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber

Make file 0600 permissions.

Turn on sssd: 

# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
# chkconfig sssd on
# service sssd start

Check it working.

Access control

Access tuned with ldap_access_filter line into /etc/sssd/sssd.conf file.

Another, flexible, way is to use PAM pam_listfile module

Create files: 

# touch /etc/groups.allow /etc/users.allow
# chmod 600 /etc/groups.allow /etc/users.allow
# echo "SomeWindowsGroup" > /etc/groups.allow

Fix /etc/pam.d/system-auth-ac (or system-auth, what suits) to be similar like this in it's "auth" part: 

...
auth	required	pam_env.so
auth	sufficient	pam_unix.so nullok try_first_pass
auth	requisite	pam_succeed_if.so uid >= 500 quiet
auth	required	pam_sss.so use_first_pass
auth	sufficient	pam_listfile.so item=group sense=allow file=/etc/groups.allow onerr=fail
auth	sufficient	pam_listfile.so item=user sense=allow file=/etc/users.allow onerr=fail
auth	required	pam_deny.so
...

Changes are BOLD.

Now you will be able to add groups to /etc/groups.allow and users to /etc/users.allow.

Updated on Mon Mar 31 12:03:44 UTC 2014 More documentations here