红帽全球峰会1.5. Connecting to AD using POSIX attributes defined in Active Directory
AD can create and store POSIX attributes, such as uidNumber, gidNumber, unixHomeDirectory, or loginShell.
When using POSIX ID mapping, SSSD creates new UIDs and GIDs, which overrides the values defined in AD. To keep the AD-defined values, you must disable POSIX ID mapping in SSSD.
For best performance, publish the POSIX attributes to the AD global catalog. If POSIX attributes are not present in the global catalog, SSSD connects to the individual domain controllers directly on the LDAP port.
Prerequisites
Ensure that the required ports are open:
- Ensure that you are using the AD domain controller server for DNS.
- Verify that the system time on both systems is synchronized. This ensures that Kerberos is able to work correctly.
Procedure
Install the following packages:
# dnf install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstationConfigure the local RHEL system with POSIX ID mapping disabled using the
realm joincommand with the--automatic-id-mapping=nooption. Therealmdsuite edits all required configuration files automatically. For example, for a domain namedad.example.com:# realm join --automatic-id-mapping=no ad.example.comIf you already joined a domain, you can manually disable POSIX ID Mapping in SSSD:
-
Open the
/etc/sssd/sssd.conffile. -
In the AD domain section, add the
ldap_id_mapping = falsesetting. Remove the SSSD caches:
rm -f /var/lib/sss/db/*Restart SSSD:
systemctl restart sssdSSSD now uses POSIX attributes from AD, instead of creating them locally.
注意You must have the relevant POSIX attributes (
uidNumber,gidNumber,unixHomeDirectory, andloginShell) configured for the users in AD.-
Open the
Verification
Display an AD user details, such as the administrator user:
# getent passwd administrator@ad.example.com administrator@ad.example.com:*:10000:10000:Administrator:/home/Administrator:/bin/bash
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}