Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
    • Tags

    SUMMARY How to join RHEL7 system to RODC with SSSD

    Posted on

    Hi,

    As information on the net is vague, I would like to share simple process for RHEL7.2 and 7.3 systems when joining
    RODC (Read Only Domain Controller) with native SSSD. Important thing is to enable enumeration in SSSD,
    pre-create computer object on RWDC, and then join the domain by using RODC server name.

    Step 1
    Pre-create computer object for RHEL7 system on RWDC.

    Step 2
    Create /etc/sssd/sssd.conf and change its permission to 600. Contents should look similar to this:

    [sssd]
    domains = myorg.domain.dom
    config_file_version = 2
    services = nss, pam, pac, sudo
    timeout = 1800

    [nss]
    filter_users = root, bin, daemon, adm, lp, sync, shutdown, halt, mail, operator, ftp, nobody
    timeout = 1800

    [domain/myorg.domain.dom]
    ad_domain = myorg.domain.dom
    ad_server = rodc-srv.myorg.domain.dom
    krb5_realm = MYORG.DOMAIN.DOM
    realmd_tags = manages-system joined-with-samba
    cache_credentials = False
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = false
    fallback_homedir = /home/%u
    access_provider = ad
    dyndns_update = False
    id_provider = ad
    krb5_store_password_if_offline = False
    ldap_schema=rfc2307bis
    enumerate = True
    ldap_id_mapping = False
    timeout = 1800
    enum_cache_timeout = 1800
    ldap_use_tokengroups = True

    Step 3
    Ensure /etc/nsswitch.conf contains lines like this:

    passwd: files sss
    shadow: files sss
    group: files sss
    services: files sss
    netgroup: files sss
    automount: files sss
    sudoers: files sss

    Step 4
    Set up /etc/pam.d/system-auth. Something like this:

    %PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth sufficient pam_unix.so try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_sss.so forward_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid 1000 quiet
    account [default=bad success=ok user_unknown=ignore] pam_sss.so
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ucredit=-2 ocredit=-2 lcredit=-2 difok=3 minlen= maxsequence=2
    password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_oddjob_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session required pam_tty_audit.so enable=* log_passwd
    session optional pam_sss.so

    Step 4
    Set up /etc/pam.d/password-auth. Something like this:

    /etc/pam.d/password-auth

    %PAM-1.0

    This file is auto-generated.

    User changes will be destroyed the next time authconfig is run.

    auth required pam_env.so
    auth [default=1 success=ok] pam_localuser.so
    auth sufficient pam_unix.so try_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth sufficient pam_sss.so forward_pass
    auth required pam_deny.so

    account required pam_access.so listsep=,
    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid 1000 quiet
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
    password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
    password sufficient pam_sss.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_oddjob_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session required pam_tty_audit.so enable=*
    session optional pam_sss.so

    Step 5
    Set up /etc/krb5.conf. Something like this:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_ccache_name = KEYRING:persistent:%{uid}

    default_realm = MYORG.DOMAIN.DOM
    [realms]
    MYORG.DOMAIN.DOM = {
    }

    [domain_realm]
    myorg.domain.dom = MYORG.DOMAIN.DOM
    .myorg.domain.dom = MYORG.DOMAIN.DOM

    Step 6
    Make sure to have /etc/krb5.keytab, owned by root with permissions 600.

    Step 7
    Enable services:

    systemctl enable sssd

    systemctl enable oddjobd

    Step 8
    Start services:

    systemctl start oddjobd

    systemctl start sssd

    This set up not only works well when joining RODCs, but a similar process is used for authentication users in middleware like
    IBM MQ.

    Regards and good luck,

    Dusan Baljevic

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat, Inc.