13.2.14. Configuring Domains: Active Directory as an LDAP Provider (Alternative)
While Active Directory can be configured as a type-specific identity provider, it can also be configured as a pure LDAP provider with a Kerberos authentication provider.
Procedure 13.7. Configuring Active Directory as an LDAP Provider
- It is recommended that SSSD connect to the Active Directory server using SASL, which means that the local host must have a service keytab for the Windows domain on the Linux host.This keytab can be created using Samba.
- Configure the
/etc/krb5.conf
file to use the Active Directory realm.[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = false [realms] # Define only if DNS lookups are not working # AD.EXAMPLE.COM = { # kdc = server.ad.example.com # admin_server = server.ad.example.com # master_kdc = server.ad.example.com # } [domain_realm] # Define only if DNS lookups are not working # .ad.example.com = AD.EXAMPLE.COM # ad.example.com = AD.EXAMPLE.COM
- Set the Samba configuration file,
/etc/samba/smb.conf
, to point to the Windows Kerberos realm.[global] workgroup = EXAMPLE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = AD.EXAMPLE.COM realm = EXAMPLE.COM security = ads
- To initialize Kerberos, type the following command as
root
:~]# kinit Administrator@EXAMPLE.COM
- Then, run the
net ads
command to log in as an administrator principal. This administrator account must have sufficient rights to add a machine to the Windows domain, but it does not require domain administrator privileges.~]# net ads join -U Administrator
- Run
net ads
again to add the host machine to the domain. This can be done with the host principal (host/FQDN) or, optionally, with the NFS service (nfs/FQDN).~]# net ads join createupn="host/rhel-server.example.com@AD.EXAMPLE.COM" -U Administrator
- Make sure that the Services for Unix package is installed on the Windows server.
- Set up the Windows domain which will be used with SSSD.
- On the Windows machine, open Server Manager.
- Create the Active Directory Domain Services role.
- Create a new domain, such as
ad.example.com
. - Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
- On the Active Directory server, create a group for the Linux users.
- Open Administrative Tools and select Active Directory Users and Computers.
- Select the Active Directory domain,
ad.example.com
. - In the Users tab, right-click and select .
- Name the new group
unixusers
, and save. - Double-click the
unixusers
group entry, and open the Users tab. - Open the Unix Attributes tab.
- Set the NIS domain to the NIS domain that was configured for
ad.example.com
and, optionally, set a group ID (GID) number.
- Configure a user to be part of the Unix group.
- Open Administrative Tools and select Active Directory Users and Computers.
- Select the Active Directory domain,
ad.example.com
. - In the Users tab, right-click and select .
- Name the new user
aduser
, and make sure that the User must change password at next logon and Lock account check boxes are not selected.Then save the user. - Double-click the
aduser
user entry, and open the Unix Attributes tab. Make sure that the Unix configuration matches that of the Active Directory domain and theunixgroup
group:- The NIS domain, as created for the Active Directory domain
- The UID
- The login shell, to
/bin/bash
- The home directory, to
/home/aduser
- The primary group name, to
unixusers
Note
Password lookups on large directories can take several seconds per request. The initial user lookup is a call to the LDAP server. Unindexed searches are much more resource-intensive, and therefore take longer, than indexed searches because the server checks every entry in the directory for a match. To speed up user lookups, index the attributes that are searched for by SSSD:- uid
- uidNumber
- gidNumber
- gecos
- On the Linux system, configure the SSSD domain.
~]# vim /etc/sssd/sssd.conf
For a complete list of LDAP provider parameters, see thesssd-ldap(5)
man pages.Example 13.9. An Active Directory 2008 R2 Domain with Services for Unix
[sssd] config_file_version = 2 domains = ad.example.com services = nss, pam ... [domain/ad.example.com] cache_credentials = true # for performance ldap_referrals = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_schema = rfc2307bis ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhel-server.example.com@AD.EXAMPLE.COM #provide the schema for services for unix ldap_schema = rfc2307bis ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName # optional - set schema mapping # parameters are listed in sssd-ldap ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_referrals = false krb5_realm = AD-REALM.EXAMPLE.COM # required krb5_canonicalize = false
- Restart SSSD.
~]# service sssd restart