Red Hat Customer Portal
  • Comments
    • Tags

    SUMMARY How to join RHEL7 system to RODC with SSSD

    Posted on

    Hi,

    As information on the net is vague, I would like to share simple process for RHEL7.2 and 7.3 systems when joining
    RODC (Read Only Domain Controller) with native SSSD. Important thing is to enable enumeration in SSSD,
    pre-create computer object on RWDC, and then join the domain by using RODC server name.

    Step 1
    Pre-create computer object for RHEL7 system on RWDC.

    Step 2
    Create /etc/sssd/sssd.conf and change its permission to 600. Contents should look similar to this:

    [sssd]
    domains = myorg.domain.dom
    config_file_version = 2
    services = nss, pam, pac, sudo
    timeout = 1800

    [nss]
    filter_users = root, bin, daemon, adm, lp, sync, shutdown, halt, mail, operator, ftp, nobody
    timeout = 1800

    [domain/myorg.domain.dom]
    ad_domain = myorg.domain.dom
    ad_server = rodc-srv.myorg.domain.dom
    krb5_realm = MYORG.DOMAIN.DOM
    realmd_tags = manages-system joined-with-samba
    cache_credentials = False
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = false
    fallback_homedir = /home/%u
    access_provider = ad
    dyndns_update = False
    id_provider = ad
    krb5_store_password_if_offline = False
    ldap_schema=rfc2307bis
    enumerate = True
    ldap_id_mapping = False
    timeout = 1800
    enum_cache_timeout = 1800
    ldap_use_tokengroups = True

    Step 3
    Ensure /etc/nsswitch.conf contains lines like this:

    passwd: files sss
    shadow: files sss
    group: files sss
    services: files sss
    netgroup: files sss
    automount: files sss
    sudoers: files sss

    Step 4
    Set up /etc/pam.d/system-auth. Something like this:

    %PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth sufficient pam_unix.so try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_sss.so forward_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid 1000 quiet
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ucredit=-2 ocredit=-2 lcredit=-2 difok=3 minlen= maxsequence=2
    password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_oddjob_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session required pam_tty_audit.so enable=* log_passwd
    session optional pam_sss.so

    Step 4
    Set up /etc/pam.d/password-auth. Something like this:

    /etc/pam.d/password-auth

    %PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth [default=1 success=ok] pam_localuser.so
    auth sufficient pam_unix.so try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_sss.so forward_pass
    auth required pam_deny.so

    account required pam_access.so listsep=,
    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid 1000 quiet
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
    password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_oddjob_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session required pam_tty_audit.so enable=*
    session optional pam_sss.so

    Step 5
    Set up /etc/krb5.conf. Something like this:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_ccache_name = KEYRING:persistent:%{uid}

    default_realm = MYORG.DOMAIN.DOM
    [realms]
    MYORG.DOMAIN.DOM = {
    }

    [domain_realm]
    myorg.domain.dom = MYORG.DOMAIN.DOM
    .myorg.domain.dom = MYORG.DOMAIN.DOM

    Step 6
    Make sure to have /etc/krb5.keytab, owned by root with permissions 600.

    Step 7
    Enable services:

    systemctl enable sssd

    systemctl enable oddjobd

    Step 8
    Start services:

    systemctl start oddjobd

    systemctl start sssd

    This set up not only works well when joining RODCs, but a similar process is used for authentication users in middleware like
    IBM MQ.

    Regards and good luck,

    Dusan Baljevic

    by

    points

    Responses

    Red Hat
    © 2025 Red Hat, Inc.