It is a common theme to attach Linux hosts to an already existing Directory Service infrastructure, likely running on Windows.
There are a lot of ways to do this, from Samba clients and Winbind, to OpenLDAP PAM modules and Kerberos, but RedHat introduced a new tool to simplify this.
SSSD (System Security Services Daemon) is that tool, it also works on other distributions (Debian/Ubuntu, CentOS, etc).
A five minute process to tie all your Linux machines to good directory services, which makes everyone’s job easier.
This may be a surprise to some people, but I personally believe that Microsoft’s Active Directory is one of the best directory services out there.
It offers LDAP, RADIUS, Kerberos, internal Certificate Authority servers, and more.
Tying all of that together yourself with OpenLDAP, Samba, open source RADIUS servers, and other services would be more of an undertaking, but it can be done.
I won’t get into everything I hate about other Microsoft products, the purpose for this entry is to assist others in finding their way into integrating their Linux logins, NFS home directories, authentication, password policies, etc into an existing Active Directory infrastructure.
The focus of this particular entry will be around a set of components that RedHat released as part of their new 6.x branch, called SSSD (System Security Services Daemon). SSSD aims to simplify the process of integrating different authentication backends into PAM. This way, you won’t necesarily need a PAM module for LDAP, a PAM module for KRB, module for NIS, etc.
PAM will simply call SSSD, which then handles doing lookups against whatever backend of your choice, in this case we will use LDAP to integrate into Active Directory.
For the initial setup, we need to extend the schema for Active Directory to support additional user attributes, like the Unix UserID, GroupID, Shell, Home Directory, and Primary Group.
Go to one of your Domain Controllers, open Server Manager, under Roles, click “Add Role Services”, then select “Identity Management for UNIX”. You will need to install the NIS Server and Administration Tools, you can skip the Password Sync component. Unfortunately, to get the “Unix Attributes” tab in AD, you need to install the NIS Server, it will not give you the Unix attributes tab without it. You will need to reboot the server for the features to be installed, so take that into consideration.
With the feature installed, you can start populating user and group properties with new Unix attributes. I suggest coming up with a UID and GID numbering convention, you will still have local system accounts and groups on each server, plus accounts in your directory service. This will come bite you in the ass if you don’t have a plan, like when you create a local account, it will select the next available UID, which will include any on the computer, and in the directory. You will need a plan, and to edit your “login.default” to set a high maximum for local UIDs and GIDs.
You now need to install SSSD on your RedHat/CentOS/Scientific Linux server. You will need to have the ‘sssd’ and ‘sssd-client’ packages installed.
Once installed, edit the ‘/etc/sssd/sssd.conf’ file, use the below as an example of entries you need to authenticate to a domain. I also suggest exporting the Certificate Authority from your Domain Controller to ensure trusted/encrypted traffic for LDAP.
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the “domains” attribute below and uncomment it.
domains = domain
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an
# entry in cache before it is considered stale and must block to refresh.
# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full entry_cache_timeout). Setting this
# value to 0 turns this feature off (default).
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
reconnection_retries = 3
debug_level = 0
description = LDAP domain with AD server
enumerate = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://dc01.domain.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/domain.crt
ldap_schema = rfc2307bis
ldap_user_search_base = DC=domain,DC=com
ldap_group_search_base = OU=Security Groups,DC=domain,DC=com
ldap_default_bind_dn = CN=LDAPBIND,DC=domain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = somepassword
ldap_user_object_class = user
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = name
ldap_group_member = member
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True