SUMMARY How to join RHEL7 system to RODC with SSSD

Latest response

Hi,

As information on the net is vague, I would like to share simple process for RHEL7.2 and 7.3 systems when joining
RODC (Read Only Domain Controller) with native SSSD. Important thing is to enable enumeration in SSSD,
pre-create computer object on RWDC, and then join the domain by using RODC server name.

Step 1
Pre-create computer object for RHEL7 system on RWDC.

Step 2
Create /etc/sssd/sssd.conf and change its permission to 600. Contents should look similar to this:

[sssd]
domains = myorg.domain.dom
config_file_version = 2
services = nss, pam, pac, sudo
timeout = 1800

[nss]
filter_users = root, bin, daemon, adm, lp, sync, shutdown, halt, mail, operator, ftp, nobody
timeout = 1800

[domain/myorg.domain.dom]
ad_domain = myorg.domain.dom
ad_server = rodc-srv.myorg.domain.dom
krb5_realm = MYORG.DOMAIN.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
dyndns_update = False
id_provider = ad
krb5_store_password_if_offline = False
ldap_schema=rfc2307bis
enumerate = True
ldap_id_mapping = False
timeout = 1800
enum_cache_timeout = 1800
ldap_use_tokengroups = True

Step 3
Ensure /etc/nsswitch.conf contains lines like this:

passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
automount: files sss
sudoers: files sss

Step 4
Set up /etc/pam.d/system-auth. Something like this:

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ucredit=-2 ocredit=-2 lcredit=-2 difok=3 minlen= maxsequence=2
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_tty_audit.so enable=* log_passwd
session optional pam_sss.so

Step 4
Set up /etc/pam.d/password-auth. Something like this:

/etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_access.so listsep=,
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_tty_audit.so enable=*
session optional pam_sss.so

Step 5
Set up /etc/krb5.conf. Something like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = MYORG.DOMAIN.DOM
[realms]
MYORG.DOMAIN.DOM = {
}

[domain_realm]
myorg.domain.dom = MYORG.DOMAIN.DOM
.myorg.domain.dom = MYORG.DOMAIN.DOM

Step 6
Make sure to have /etc/krb5.keytab, owned by root with permissions 600.

Step 7
Enable services:

systemctl enable sssd

systemctl enable oddjobd

Step 8
Start services:

systemctl start oddjobd

systemctl start sssd

This set up not only works well when joining RODCs, but a similar process is used for authentication users in middleware like
IBM MQ.

Regards and good luck,

Dusan Baljevic

Responses

It would be great if you would share the packages which need to install and commands for joining the server with RODC.