30.4.2.3. Active Directory Domain Example
For SSSD to work with an Active Directory domain, both the Active Directory domain and the local system have to be configured specially to communicate with one another.
Note
The Microsoft Active Directory documentation has complete procedures for configuring the Active Directory domain.
- Using
authconfig, set the Linux client to use Active Directory as its LDAP identity provider. For example:authconfig --enableldap --enableldapauth --ldapserver=ldap://ad.example.com:389 --enablekrb5 --krb5realm AD-REALM.EXAMPLE.COM --krb5kdc ad-kdc.example.com:88 --krb5adminserver ad-kdc.example.com:749 --update
Theauthconfigcommand is described in Section 29.4, “Command Line Version”. - Create the Active Directory Domain Services role.
- Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
- On the Active Directory server, create a new Computer object with the name of the Linux client.
- In the Administrative Tools menu, select the Active Directory Users and Computers application.
- Expand the Active Directory root object, such as
ad.example.com. - Right-click Computers, and select the and the item.
- Enter the name for the Linux client, such as
rhel-server, and click . - Expand the Computers object.
- Right-click the
rhel-serverobject, and select . - In the UNIX Attributes, enter the name of the Linux NIS domain and the IP address of the Linux server.Click .
- From the command prompt on the Active Directory server, create a machine account, password, and UPN for the Linux host principal.
C:\> setspn -A host/rhel-server.example.com@AD-REALM.EXAMPLE.COM rhel-server Registering ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com host/rhel server.example.com@AD-REALM.EXAMPLE.COM Updated object C:\> setspn -L rhel-server Registered ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com: host/rhel server.example.com@AD-REALM.EXAMPLE.COM C:\> ktpass /princ host/rhel-server.example.com@AD-REALM.EXAMPLE.COM /out rhel-server.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD\rhel-server$ +rndPass Targeting domain controller: ad.example.com Using legacy password setting method Successfully mapped host/rhel server.redhat.com ... 8< ... - Copy the keytab from the Active Directory server to the Linux client, and save it as
/etc/krb5.keytab. - On the Linux system, reset the permissions and owner for the keytab file.
[root@rhel-server ~]# chown root:root /etc/krb5.keytab [root@rhel-server ~]# chmod 0600 /etc/krb5.keytab
- Restore the SELinux file permissions for the keytab.
[root@rhel-server ~]# restorecon /etc/krb5.keytab
- Verify that the host can connect to the Active Directory domain.
[root@rhel-server ~]# kinit -k -t /etc/krb5.keytab host/rhel-server.example.com@AD-REALM.EXAMPLE.COM
- On the Active Directory server, create a a group for the Linux users.
- Create a new group named unixusers.
- Open the unixusers group and open the Unix Attributes tab.
- Configure the Unix settings:
- The NIS domain
- The UID
- The login shell, to
/bin/bash - The home directory, to
/home/aduser - The primary group name, to
unixusers
- Then, configure the SSSD domain on the Linux machine.
Example 30.2. An Active Directory 2008 Domain
[root@rhel-server ~]# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = ad.example.com services = nss, pam [nss] [pam] [domain/ad.example.com] cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhel-server.example.com@AD-REALM.EXAMPLE.COM ldap_schema = rfc2307bis ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true #krb5_server = server.ad.example.com krb5_realm = AD-REALM.EXAMPLE.COM
These options are described in the man page for LDAP domain configuration,sssd-ldap(5). - Restart SSSD.
[root@rhel-server ~]# service sssd restart
