Mapping Active Directory Posix Attributes
I am in the process of attempting to migrate our authentication scheme from 389-ds to our existing Windows 2012 AD.
realm join [domain] -U [admin]
I am able to set up authentication with the SID+UID algorithm, but when i set the ldap_id_mapping= False to try and pull the manually configured posix attributes from AD it does not find any users.
[Initially SSSD fails to restart, i delete /var/lib/sss/db/* and restart sssd]
I have been having a hard time finding any solution that does not involve expensive 3rd party software, or even much documentation on the subject.
The reason for custom UID/GID is to enable users to continue using the existing Linux share without having to re-permission the entire NFS and other existing host files.
Any ideas or helpful docs would be greatly appreciated.
I cannot post configs as it is a disconnected network.
Responses
I haven't been using realmd, so there is some hand config of various files. What's worked for me is:
/etc/krb5.conf excerpts[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
default_realm = RRR
/etc/samba/smb.conf excerpts
realm = RRR
workgroup = WWW
client signing = required
kerberos method = secrets and keytab
obey pam restrictions = Yes
security = ADS
idmap config * : backend = tdb
/etc/sssd/sssd.conf
[sssd]
domains = LOCAL, RRR
services = nss, pam, pac, ifp
config_file_version = 2
[nss]
shell_fallback = /bin/bash
fallback_homedir = /home/%u
filter_groups = root
filter_users = root
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 7
offline_failed_login_delay = 7
[pac]
[ifp]
[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit
[domain/RRR]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = false
cache_credentials = true
use_fully_qualified_names = false
ad_access_filter = (memberOf=cn=user_SERVER,cn=Users,dc=...)
ad_domain = rrr
To activate this configuration, I run:
read -p "join server: " DC
read -p "join user: " SUSER
kdestroy
systemctl start smb # create /var/lib/samba/*.tdb files
sleep 2
systemctl stop smb
echo "expect 2 prompts for $SUSER password ..."
kinit $SUSER
net ads join member -S $DC -U $SUSER
net ads keytab create -k -S $DC
systemctl start sssd nmb smb
kdestroy
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
