How to configure sssd on SLES 11 to resolve names and authenticate to Windows 2008 Active Directory
This document (7014572) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
Situation
Environment were authentication and name resolution needs to occur by communicating to a Window 2008 Active Directory Domain.
This is an alternative to using winbind. SSSD must be used as a solution, in lieu of winbind, when the primary group for a user, as listed on the Active Directory side of things MUST be different than the primary group for the user as listed on the Linux side of things. This is due to recent changes in winbind (security fixes). If the primary group is the same on the Windows and Linux sides, then sssd can be used as an optional alternative if desired.
This is an alternative to using winbind. SSSD must be used as a solution, in lieu of winbind, when the primary group for a user, as listed on the Active Directory side of things MUST be different than the primary group for the user as listed on the Linux side of things. This is due to recent changes in winbind (security fixes). If the primary group is the same on the Windows and Linux sides, then sssd can be used as an optional alternative if desired.
Resolution
This document describes how to configure sssd on SLES 11 sp1 to perform name resolution and authentication using Kerberos and LDAP to a Windows 2008 Active Directory domain.
For the purposes of this document, the following naming is used:
domain = ad-domain.com
realm = AD-DOMAIN.COM
SLES 11 SP1 server (client) = client
SLES 11 SP1 server (client) fully qualified = client.ad-domain.com
Windows 2008 server (AD server) = adserver
Windows 2008 server (AD server) fully qualified = adserver.ad-domain.com
ipaddress of Windows 2008 server = 192.168.0.1
User = unixuser
Group = unixgroup
This document assumes a fully functional Windows 2008 Active Directory domain and network. It will not go into troubleshooting or setup of communication between the SLES 11 SP1 server and the Windows 2008 server.
Windows 2008 domain configuration:
1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] expand the domain that will contain the SLES 11 SP1 server & users - ad.domain.com. If the domain doesn't exist yet, create a new domain.
2. Within the Computers folder, right click and choose New | Computer. Create a computer object that will correspond to the SLES 11 SP1 server. For our example, Computer name = client. It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
3. Click Active Directory Domain Services under Roles in Service Manager. Scroll the right hand window down to Role Services. Choose Add Role Service and select - Identity Management for UNIX. Use the domain created / used in step 1 as the NIS Domain Name. For our example, NIS Domain name = ad-domain.com
4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] Within the Users folder, right click and choose New | Group. Create a group object. For our example, Group name = unixgroup
- Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
- Select the NIS domain set setup in Step 3.
- Set GID (this will be according to your environment's configuration). For our example, 10000
5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] Within the Users folder, right click and choose New | User. Create a user object. For our example, User logon name = unixuser.
- Uncheck User must change password at next logon and Account is disabled.
- Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
- Select the NIS domain as setup in Step 3.
- Set UID (this will be according to your environment's configuration). For our example, 10000
- Set Login Shell (this will be according to your environment's configuration). For our example, /bin/bash
- Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
- Set Primary Group Name/GID to unixgroup
SLES 11 SP1 server configuration:
1. Check and install if needed the following packages: sssd, krb5, krb5-client, pam_krb5, sssd-tools
2. Modify /etc/krb5.conf file to reflect actual configuration. Some environments may not need the included additional definition for [realm] and [domain_realm]. For our example, see the following:
[libdefaults]
default_realm = AD-DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
clockskew = 300
[realms]
AD.DOMAIN.COM = {
kdc = ADSERVER.AD-DOMAIN.COM
default_domain = ad-domain.com
admin_server = 192.168.0.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.AD-DOMAIN.COM = ad-domain.com
AD-DOMAIN.COM = ad-domain.com
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
}
3. Modify /etc/sssd/sssd.conf file to reflect actual configuration. For our example, see the following:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
debug_level = 10
domains = AD-DOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/AD-DOMAIN.COM]
description = LDAP domain with AD server
enumerate = false
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://192.168.0.1
ldap_schema = rfc2307bis
ldap_user_search_base = dc=ad-domain,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_group_search_base = dc=ad-domain,dc=com
ldap_group_object_class = group
ldap_force_upper_case_realm = false
ldap_access_order = expire
ldap_account_expire_policy = ad
krb5_realm = AD-DOMAIN.COM
krb5_server = 192.168.0.8
ldap_sasl_mech = gssapi
ldap_krb5_init_creds = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
ldap_sasl_authid = host/client.ad-domain.com@AD-DOMAIN.COM
4. Check resolution of Active Directory Domain from SLES 11 SP1 server. It may be necessary to add the domain to /etc/hosts file is DNS resolution doesn't provide address for domain. For our example, add the following to the /etc/hosts file.
192.168.0.1 ad-domain.com adserver adserver.ad-domain.com
5. Create a Services Keytab for the SLES11 SP1 server
From the Windows 2008 server, open a command window and run the following commands to configure the computer object created for the SLES11 SP1 server and generate a keytab. For our example, the commands would be:
- setspn -A host/client.ad-domain.com@AD-DOMAIN.COM client
- setspn -L client
- ktpass /princ host/client.ad-domain.com@AD-DOMAIN.COM /out client-krb5.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD-DOMAIN.COM\client$ /pass *
Copy client-krb5.keytab to the SLES11 SP1 server, place it in the /etc directory and rename it to krb5-keytab
6. Verify Kerberos functionality and /etc/krb5.keytab. For our example, the command would be:
- kinit -k -t /etc/krb5.keytab 'host/client.ad-domain.com@AD-DOMAIN.COM'
- kinit unixuser@AD-DOMAIN.COM
- /usr/bin/ldapsearch -H ldap://adserver.ad-domain.com -Y GSSAPI -N -b "dc=ad-domain,dc=com" "(&(objectclass=user)(sAMAccountName=unixuser))"
7. Modify the /etc/nsswitch.conf file to include resolution through sss
passwd: files sss
group: files sss
8. Add the pam_sss.so module to the pam.d files. Always backup the /etc/pam.d files before making modifications and maintain an open/authenicated terminal session while testing until configuration success is validated. Modification to pam.d files can result in the inability to authenicate any users including root. For our example, pam.d files contain the following:
/etc/pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_sss.so use_first_pass
/etc/pam.d/common-account
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
/etc/pam.d/common-session
session required pam_limits.so
session required pam_unix2.so
session optional pam_sss.so
session optional pam_umask.so
/etc/pam.d/common-password
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_sss.so use_authtok
For the purposes of this document, the following naming is used:
domain = ad-domain.com
realm = AD-DOMAIN.COM
SLES 11 SP1 server (client) = client
SLES 11 SP1 server (client) fully qualified = client.ad-domain.com
Windows 2008 server (AD server) = adserver
Windows 2008 server (AD server) fully qualified = adserver.ad-domain.com
ipaddress of Windows 2008 server = 192.168.0.1
User = unixuser
Group = unixgroup
This document assumes a fully functional Windows 2008 Active Directory domain and network. It will not go into troubleshooting or setup of communication between the SLES 11 SP1 server and the Windows 2008 server.
Windows 2008 domain configuration:
1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] expand the domain that will contain the SLES 11 SP1 server & users - ad.domain.com. If the domain doesn't exist yet, create a new domain.
2. Within the Computers folder, right click and choose New | Computer. Create a computer object that will correspond to the SLES 11 SP1 server. For our example, Computer name = client. It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
3. Click Active Directory Domain Services under Roles in Service Manager. Scroll the right hand window down to Role Services. Choose Add Role Service and select - Identity Management for UNIX. Use the domain created / used in step 1 as the NIS Domain Name. For our example, NIS Domain name = ad-domain.com
4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] Within the Users folder, right click and choose New | Group. Create a group object. For our example, Group name = unixgroup
- Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
- Select the NIS domain set setup in Step 3.
- Set GID (this will be according to your environment's configuration). For our example, 10000
5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] Within the Users folder, right click and choose New | User. Create a user object. For our example, User logon name = unixuser.
- Uncheck User must change password at next logon and Account is disabled.
- Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
- Select the NIS domain as setup in Step 3.
- Set UID (this will be according to your environment's configuration). For our example, 10000
- Set Login Shell (this will be according to your environment's configuration). For our example, /bin/bash
- Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
- Set Primary Group Name/GID to unixgroup
SLES 11 SP1 server configuration:
1. Check and install if needed the following packages: sssd, krb5, krb5-client, pam_krb5, sssd-tools
2. Modify /etc/krb5.conf file to reflect actual configuration. Some environments may not need the included additional definition for [realm] and [domain_realm]. For our example, see the following:
[libdefaults]
default_realm = AD-DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
clockskew = 300
[realms]
AD.DOMAIN.COM = {
kdc = ADSERVER.AD-DOMAIN.COM
default_domain = ad-domain.com
admin_server = 192.168.0.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.AD-DOMAIN.COM = ad-domain.com
AD-DOMAIN.COM = ad-domain.com
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
}
3. Modify /etc/sssd/sssd.conf file to reflect actual configuration. For our example, see the following:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
debug_level = 10
domains = AD-DOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/AD-DOMAIN.COM]
description = LDAP domain with AD server
enumerate = false
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://192.168.0.1
ldap_schema = rfc2307bis
ldap_user_search_base = dc=ad-domain,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_group_search_base = dc=ad-domain,dc=com
ldap_group_object_class = group
ldap_force_upper_case_realm = false
ldap_access_order = expire
ldap_account_expire_policy = ad
krb5_realm = AD-DOMAIN.COM
krb5_server = 192.168.0.8
ldap_sasl_mech = gssapi
ldap_krb5_init_creds = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
ldap_sasl_authid = host/client.ad-domain.com@AD-DOMAIN.COM
4. Check resolution of Active Directory Domain from SLES 11 SP1 server. It may be necessary to add the domain to /etc/hosts file is DNS resolution doesn't provide address for domain. For our example, add the following to the /etc/hosts file.
192.168.0.1 ad-domain.com adserver adserver.ad-domain.com
5. Create a Services Keytab for the SLES11 SP1 server
From the Windows 2008 server, open a command window and run the following commands to configure the computer object created for the SLES11 SP1 server and generate a keytab. For our example, the commands would be:
- setspn -A host/client.ad-domain.com@AD-DOMAIN.COM client
- setspn -L client
- ktpass /princ host/client.ad-domain.com@AD-DOMAIN.COM /out client-krb5.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD-DOMAIN.COM\client$ /pass *
Copy client-krb5.keytab to the SLES11 SP1 server, place it in the /etc directory and rename it to krb5-keytab
6. Verify Kerberos functionality and /etc/krb5.keytab. For our example, the command would be:
- kinit -k -t /etc/krb5.keytab 'host/client.ad-domain.com@AD-DOMAIN.COM'
- kinit unixuser@AD-DOMAIN.COM
- /usr/bin/ldapsearch -H ldap://adserver.ad-domain.com -Y GSSAPI -N -b "dc=ad-domain,dc=com" "(&(objectclass=user)(sAMAccountName=unixuser))"
7. Modify the /etc/nsswitch.conf file to include resolution through sss
passwd: files sss
group: files sss
8. Add the pam_sss.so module to the pam.d files. Always backup the /etc/pam.d files before making modifications and maintain an open/authenicated terminal session while testing until configuration success is validated. Modification to pam.d files can result in the inability to authenicate any users including root. For our example, pam.d files contain the following:
/etc/pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_sss.so use_first_pass
/etc/pam.d/common-account
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
/etc/pam.d/common-session
session required pam_limits.so
session required pam_unix2.so
session optional pam_sss.so
session optional pam_umask.so
/etc/pam.d/common-password
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_sss.so use_authtok
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7014572
- Creation Date: 14-Feb-2014
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
