Mapping Active Directory Posix Attributes

Latest response

I am in the process of attempting to migrate our authentication scheme from 389-ds to our existing Windows 2012 AD.

realm join [domain] -U [admin]

I am able to set up authentication with the SID+UID algorithm, but when i set the ldap_id_mapping= False to try and pull the manually configured posix attributes from AD it does not find any users.
[Initially SSSD fails to restart, i delete /var/lib/sss/db/* and restart sssd]

I have been having a hard time finding any solution that does not involve expensive 3rd party software, or even much documentation on the subject.

The reason for custom UID/GID is to enable users to continue using the existing Linux share without having to re-permission the entire NFS and other existing host files.

Any ideas or helpful docs would be greatly appreciated.

I cannot post configs as it is a disconnected network.

Responses

I haven't been using realmd, so there is some hand config of various files. What's worked for me is:

/etc/krb5.conf excerpts
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 default_realm = RRR
/etc/samba/smb.conf excerpts
  realm = RRR
  workgroup = WWW
  client signing = required
  kerberos method = secrets and keytab
  obey pam restrictions = Yes
  security = ADS
  idmap config * : backend = tdb

/etc/sssd/sssd.conf

[sssd]
domains = LOCAL, RRR
services = nss, pam, pac, ifp
config_file_version = 2

[nss]
shell_fallback = /bin/bash
fallback_homedir = /home/%u
filter_groups = root
filter_users = root
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 7
offline_failed_login_delay = 7

[pac]

[ifp]

[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit

[domain/RRR]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = false
cache_credentials = true
use_fully_qualified_names = false
ad_access_filter = (memberOf=cn=user_SERVER,cn=Users,dc=...)
ad_domain = rrr
To activate this configuration, I run:
read -p "join server: " DC
read -p "join user: " SUSER

kdestroy
systemctl start smb # create /var/lib/samba/*.tdb files
sleep 2
systemctl stop smb
echo "expect 2 prompts for $SUSER password ..."
kinit $SUSER
net ads join member -S $DC -U $SUSER
net ads keytab create -k -S $DC
systemctl start sssd nmb smb
kdestroy

Matt,

Are you running IMU on your 2012 AD server? ie. have you enabled the schema extension for the posix attributes?

https://goo.gl/4cqHJL

Have you configured the posix attributes for the users?

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.