Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

30.4.2.3. Active Directory Domain Example

For SSSD to work with an Active Directory domain, both the Active Directory domain and the local system have to be configured specially to communicate with one another.

Note

The Microsoft Active Directory documentation has complete procedures for configuring the Active Directory domain.
  1. Using authconfig, set the Linux client to use Active Directory as its LDAP identity provider. For example: 
    authconfig --enableldap --enableldapauth --ldapserver=ldap://ad.example.com:389 --enablekrb5 --krb5realm AD-REALM.EXAMPLE.COM --krb5kdc ad-kdc.example.com:88 --krb5adminserver ad-kdc.example.com:749 --update
    The authconfig command is described in Section 29.4, “Command Line Version”.
  2. Create the Active Directory Domain Services role.
  3. Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
  4. On the Active Directory server, create a new Computer object with the name of the Linux client.
    1. In the Administrative Tools menu, select the Active Directory Users and Computers application.
    2. Expand the Active Directory root object, such as ad.example.com.
    3. Right-click Computers, and select the New and the Computer item.
    4. Enter the name for the Linux client, such as rhel-server, and click OK.
    5. Expand the Computers object.
    6. Right-click the rhel-server object, and select Properties.
    7. In the UNIX Attributes, enter the name of the Linux NIS domain and the IP address of the Linux server.
      Click OK.
  5. From the command prompt on the Active Directory server, create a machine account, password, and UPN for the Linux host principal. 
    C:\> setspn -A host/rhel-server.example.com@AD-REALM.EXAMPLE.COM rhel-server
Registering ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com
        host/rhel server.example.com@AD-REALM.EXAMPLE.COM
Updated object						
	
C:\> setspn -L rhel-server 
Registered ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com:
        host/rhel server.example.com@AD-REALM.EXAMPLE.COM

C:\> ktpass /princ host/rhel-server.example.com@AD-REALM.EXAMPLE.COM /out rhel-server.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD\rhel-server$ +rndPass

Targeting domain controller: 
    ad.example.com
Using legacy password setting method
Successfully mapped host/rhel server.redhat.com 
... 8< ...
  6. Copy the keytab from the Active Directory server to the Linux client, and save it as /etc/krb5.keytab.
  7. On the Linux system, reset the permissions and owner for the keytab file. 
    [root@rhel-server ~]# chown root:root /etc/krb5.keytab 
	
[root@rhel-server ~]# chmod 0600 /etc/krb5.keytab
  8. Restore the SELinux file permissions for the keytab. 
    [root@rhel-server ~]# restorecon /etc/krb5.keytab
  9. Verify that the host can connect to the Active Directory domain. 
    [root@rhel-server ~]# kinit -k -t /etc/krb5.keytab host/rhel-server.example.com@AD-REALM.EXAMPLE.COM
  10. On the Active Directory server, create a a group for the Linux users.
    1. Create a new group named unixusers.
    2. Open the unixusers group and open the Unix Attributes tab.
    3. Configure the Unix settings:
      • The NIS domain
      • The UID
      • The login shell, to /bin/bash
      • The home directory, to /home/aduser
      • The primary group name, to unixusers
  11. Then, configure the SSSD domain on the Linux machine.

    Example 30.2. An Active Directory 2008 Domain

    [root@rhel-server ~]# vim /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
domains = ad.example.com
services = nss, pam

[nss]

[pam]

[domain/ad.example.com]
cache_credentials = true
enumerate = false

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhel-server.example.com@AD-REALM.EXAMPLE.COM 


ldap_schema = rfc2307bis

ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName

ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true

#krb5_server = server.ad.example.com
krb5_realm = AD-REALM.EXAMPLE.COM
    These options are described in the man page for LDAP domain configuration, sssd-ldap(5).
  12. Restart SSSD. 
    [root@rhel-server ~]# service sssd restart