SUMMARY How to join RHEL7 system to RODC with SSSD

Latest response

Hi,

As information on the net is vague, I would like to share simple process for RHEL7.2 and 7.3 systems when joining
RODC (Read Only Domain Controller) with native SSSD. Important thing is to enable enumeration in SSSD,
pre-create computer object on RWDC, and then join the domain by using RODC server name.

Step 1
Pre-create computer object for RHEL7 system on RWDC.

Step 2
Create /etc/sssd/sssd.conf and change its permission to 600. Contents should look similar to this:

[sssd]
domains = myorg.domain.dom
config_file_version = 2
services = nss, pam, pac, sudo
timeout = 1800

[nss]
filter_users = root, bin, daemon, adm, lp, sync, shutdown, halt, mail, operator, ftp, nobody
timeout = 1800

[domain/myorg.domain.dom]
ad_domain = myorg.domain.dom
ad_server = rodc-srv.myorg.domain.dom
krb5_realm = MYORG.DOMAIN.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
dyndns_update = False
id_provider = ad
krb5_store_password_if_offline = False
ldap_schema=rfc2307bis
enumerate = True
ldap_id_mapping = False
timeout = 1800
enum_cache_timeout = 1800
ldap_use_tokengroups = True

Step 3
Ensure /etc/nsswitch.conf contains lines like this:

passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
automount: files sss
sudoers: files sss

Step 4
Set up /etc/pam.d/system-auth. Something like this:

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ucredit=-2 ocredit=-2 lcredit=-2 difok=3 minlen= maxsequence=2
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_tty_audit.so enable=* log_passwd
session optional pam_sss.so

Step 4
Set up /etc/pam.d/password-auth. Something like this:

/etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_access.so listsep=,
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_tty_audit.so enable=*
session optional pam_sss.so

Step 5
Set up /etc/krb5.conf. Something like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = MYORG.DOMAIN.DOM
[realms]
MYORG.DOMAIN.DOM = {
}

[domain_realm]
myorg.domain.dom = MYORG.DOMAIN.DOM
.myorg.domain.dom = MYORG.DOMAIN.DOM

Step 6
Make sure to have /etc/krb5.keytab, owned by root with permissions 600.

Step 7
Enable services:

systemctl enable sssd

systemctl enable oddjobd

Step 8
Start services:

systemctl start oddjobd

systemctl start sssd

This set up not only works well when joining RODCs, but a similar process is used for authentication users in middleware like
IBM MQ.

Regards and good luck,

Dusan Baljevic

Responses

It would be great if you would share the packages which need to install and commands for joining the server with RODC.

More documentation and notes around this would be helpful. We have joined a server to a RODC but when the SSSD cache is removed, for troubleshooting purposes, it can no longer rebuild itself in a Read Only domain environment. Right now Red Hat support says to use LDAP instead of Ad/SSSD/Kerberos. This seems contradictory to what you are saying. What is the preferred method to join a server to a Read Only domain?

Hi Jamie,

This process was done five years ago, when I was in a different organisation.

From what I hear, the servers are still in perfect operational order. No problems whatsoever.

On the positive side, a major project I am working currently on will migrate to RHEL 8 soon, so I will have an opportunity to test how joining RODCs works in new environment.

Best wishes,

Dusan Baljevic (amateur radio VK2COT)

Hi,

As part of a major project, I was involved in verifying if RHEL 8.x servers can join RODCs in DMZ.

The short answer is YES! It works well.

As long as Kerberos host object is properly pre-created in Microsoft Active Directory on some RWDC, RHEL 8 .x servers in DMZ can join the domain through RODC. We deploy RHEL 8.x VMs through a commercial product.

The important thing is to join DMZ server to the relevant RODC by specifying it on the command line:

$ sudo realm leave -v -U <ADadminuser> mydomain.dom

$ sudo realm -vvv join RODCsrv.mydomain.dom -U <ADadminuser>

Then, simply clear up SSSD cache, and ensure that RODC is defined n /etc/sssd/sssd.conf:

[domain/mydomain.dom]
...
ad_server = RODCsrv.mydomain.dom
...

Regards,

Dusan Baljevic (amateur radio VK2COT)