Chapter 6. Configuring the SSSD Container to Provide Identity and Authentication Services on Atomic Host
As a system administrator, you can use SSSD in a container to provide external identity, authentication, and authorization services for the Atomic Host system. This chapter describes how to run the SSSD container as privileged, which enables users from external identity sources (Identity Management or Active Directory) to leverage the services running on the Atomic host itself.
Alternatively, you can run the SSSD container as unprivileged, which enables users from external identity sources (Identity Management or Active Directory) to leverage the services running in other containers on the Atomic Host. This is covered in Chapter 7, Deploying SSSD Containers With Different Configurations.
Before you start, see:
To enroll the Atomic Host to an Identity Management server, see:
To enroll the Atomic Host to Active Directory, see:
6.1. Prerequisites
- Upgrade the Atomic Host system before installing the container. See Upgrading and Downgrading in the Red Hat Enterprise Linux Atomic Host 7 Installation and Configuration Guide.
6.2. Enrolling to an Identity Management Domain Using a Privileged SSSD Container
This procedure describes how to install an SSSD container and configure it for enrollment against an Identity Management server. During the installation:
- Various configuration and data are copied into the container.
- The ipa-client-install utility for configuring an Identity Management client starts.
- After a successful enrollment into the Identity Management domain, the configuration and data are copied back to the Atomic Host system.
Prerequisites
You need one of the following:
A random password for one-time client enrollment of the Atomic Host system to the Identity Management domain. To generate the password, add the Atomic Host system as an Identity Management host on the Identity Management server, for example:
$ ipa host-add <atomic.example.com> --random [... output truncated ...] Random password: 4Re[>5]OB$3K($qYs:M&}B [... output truncated ...]
For details, see Installing a Client in the Linux Domain Identity, Authentication, and Policy Guide.
-
Credentials of an Identity Management user allowed to enroll clients. By default, this is the
admin
user.
Procedure
Start the sssd container installation by using the
atomic install
command, and provide the random password or credentials of an IdM user that is allowed to enroll new hosts. In most cases, this is theadmin
user.# atomic install rhel7/sssd --password "4Re[>5]OB$3K($qYs:M&}B" [... output truncated ...] Service sssd.service configured to run SSSD container. [... output truncated ...]
# atomic install rhel7/sssd -p admin -w <admin_password> [... output truncated ...] Service sssd.service configured to run SSSD container. [... output truncated ...]
The
atomic install rhel7/sssd
command accepts standard ipa-client-install options. Depending on your configuration, you might need to provide additional information using these options. For example, if ipa-client-install cannot determine the host name of your server and the domain name, use the--server
and--domain
options:# atomic install rhel7/sssd --password "4Re[>5]OB$3K($qYs:M&}B" --server <server.example.com> --domain <example.com>
NoteYou can also pass options to
ipa-client-install
by storing them to the/etc/sssd/ipa-client-install-options
file on the Atomic Host before runningatomic install
. For example, the file can contain:--password=4Re[>5]OB$3K($qYs:M&}B --server=server.example.com --domain=example.com
Start SSSD in the container by using one of the following commands:
# atomic run rhel7/sssd
# systemctl start sssd
Optional. Confirm that the container is running:
# docker ps CONTAINER ID IMAGE 5859b9366f0f rhel7/sssd
Optional. Confirm that SSSD on the Atomic Host resolves identities from the Identity Management domain.
Obtain a Kerberos ticket for an Identity Management user, and log in to the Atomic Host by using the ssh utility.
$ atomic run sssd kinit <idm_user> $ ssh <idm_user>@<atomic.example.com>
Use the id utility to verify that you are logged in as the intended user:
$ id uid=1215800001(idm_user) gid=1215800001(idm_user) groups=1215800001(idm_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Use the hostname utility to verify that you are logged in to the Atomic Host system:
$ hostname atomic.example.com
6.3. Joining an Active Directory Domain Using an SSSD Container
This procedure describes how to install an SSSD container and configure it to join the Atomic Host system to Active Directory.
Procedure
Save the password of a user allowed to enroll systems to the Active Directory domain, such as the Administrator, in the
/etc/sssd/realm-join-password
file on the Atomic Host system:# echo <password> > /etc/sssd/realm-join-password
Providing the password in the file is necessary because the
realm join
command does not accept the password as a command-line parameter.NoteIf you want to specify a custom container image name later with the
atomic install
command to use instead of the default name (sssd
), add the custom name to the path of the file:/etc/sssd/<custom_container_name>/realm-join-password
.Start the sssd container installation by using the
atomic install
command, and specify the realm that you want to join. If you are using the default Administrator user account for the operation:# atomic install rhel7/sssd realm join <ad.example.com> docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join ad.example.com Initializing configuration context from host ... Password for Administrator: Copying new configuration to host ... Service sssd.service configured to run SSSD container.
If you are using another user account, specify it with the
--user
option:# atomic install rhel7/sssd realm join --user <user_name> <ad.example.com>
Start SSSD in the container by using one of the following commands:
# atomic run rhel7/sssd
# systemctl start sssd
Optional. Confirm that the container is running:
# docker ps CONTAINER ID IMAGE 5859b9366f0f rhel7/sssd
Optional. On the Atomic Host system, confirm that SSSD resolves identities from the Active Directory domain:
# id administrator@<ad.example.com> uid=1397800500(administrator@ad.example.com) gid=1397800513(domain users@ad.example.com)
Additional Resources
- For details on the realmd utility, see Using realmd to Connect to an Active Directory Domain in the Windows Integration Guide or the realm(8) man page.