Hi,

As information on the net is vague, I would like to share simple process for RHEL7.2 and 7.3 systems when joining
RODC (Read Only Domain Controller) with native SSSD. Important thing is to enable enumeration in SSSD,
pre-create computer object on RWDC, and then join the domain by using RODC server name.

Step 1
Pre-create computer object for RHEL7 system on RWDC.

Step 2
Create /etc/sssd/sssd.conf and change its permission to 600. Contents should look similar to this:

[sssd]
domains = myorg.domain.dom
config_file_version = 2
services = nss, pam, pac, sudo
timeout = 1800

[nss]
filter_users = root, bin, daemon, adm, lp, sync, shutdown, halt, mail, operator, ftp, nobody
timeout = 1800

[domain/myorg.domain.dom]
ad_domain = myorg.domain.dom
ad_server = rodc-srv.myorg.domain.dom
krb5_realm = MYORG.DOMAIN.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
dyndns_update = False
id_provider = ad
krb5_store_password_if_offline = False
ldap_schema=rfc2307bis
enumerate = True
ldap_id_mapping = False
timeout = 1800
enum_cache_timeout = 1800
ldap_use_tokengroups = True

Step 3
Ensure /etc/nsswitch.conf contains lines like this:

passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
automount: files sss
sudoers: files sss

Step 4
Set up /etc/pam.d/system-auth. Something like this:

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ucredit=-2 ocredit=-2 lcredit=-2 difok=3 minlen= maxsequence=2
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_tty_audit.so enable=* log_passwd
session optional pam_sss.so

Step 4
Set up /etc/pam.d/password-auth. Something like this:

/etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_access.so listsep=,
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_tty_audit.so enable=*
session optional pam_sss.so

Step 5
Set up /etc/krb5.conf. Something like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = MYORG.DOMAIN.DOM
[realms]
MYORG.DOMAIN.DOM = {
}

[domain_realm]
myorg.domain.dom = MYORG.DOMAIN.DOM
.myorg.domain.dom = MYORG.DOMAIN.DOM

Step 6
Make sure to have /etc/krb5.keytab, owned by root with permissions 600.

Step 7
Enable services:

systemctl enable sssd

systemctl enable oddjobd

Step 8
Start services:

systemctl start oddjobd

systemctl start sssd

This set up not only works well when joining RODCs, but a similar process is used for authentication users in middleware like
IBM MQ.

Regards and good luck,

Dusan Baljevic