Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

30.4.2.3. Active Directory Domain Example

For SSSD to work with an Active Directory domain, both the Active Directory domain and the local system have to be configured specially to communicate with one another.

Note

The Microsoft Active Directory documentation has complete procedures for configuring the Active Directory domain.
  1. Using authconfig, set the Linux client to use Active Directory as its LDAP identity provider. For example:
    authconfig --enableldap --enableldapauth --ldapserver=ldap://ad.example.com:389 --enablekrb5 --krb5realm AD-REALM.EXAMPLE.COM --krb5kdc ad-kdc.example.com:88 --krb5adminserver ad-kdc.example.com:749 --update
    The authconfig command is described in Section 29.4, “Command Line Version”.
  2. Create the Active Directory Domain Services role.
  3. Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
  4. On the Active Directory server, create a new Computer object with the name of the Linux client.
    1. In the Administrative Tools menu, select the Active Directory Users and Computers application.
    2. Expand the Active Directory root object, such as ad.example.com.
    3. Right-click Computers, and select the New and the Computer item.
    4. Enter the name for the Linux client, such as rhel-server, and click OK.
    5. Expand the Computers object.
    6. Right-click the rhel-server object, and select Properties.
    7. In the UNIX Attributes, enter the name of the Linux NIS domain and the IP address of the Linux server.
      Click OK.
  5. From the command prompt on the Active Directory server, create a machine account, password, and UPN for the Linux host principal.
    C:\> setspn -A host/rhel-server.example.com@AD-REALM.EXAMPLE.COM rhel-server
    Registering ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com
            host/rhel server.example.com@AD-REALM.EXAMPLE.COM
    Updated object						
    	
    C:\> setspn -L rhel-server 
    Registered ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com:
            host/rhel server.example.com@AD-REALM.EXAMPLE.COM
    
    C:\> ktpass /princ host/rhel-server.example.com@AD-REALM.EXAMPLE.COM /out rhel-server.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD\rhel-server$ +rndPass
    
    Targeting domain controller: 
        ad.example.com
    Using legacy password setting method
    Successfully mapped host/rhel server.redhat.com 
    ... 8< ...
  6. Copy the keytab from the Active Directory server to the Linux client, and save it as /etc/krb5.keytab.
  7. On the Linux system, reset the permissions and owner for the keytab file.
    [root@rhel-server ~]# chown root:root /etc/krb5.keytab 
    	
    [root@rhel-server ~]# chmod 0600 /etc/krb5.keytab
  8. Restore the SELinux file permissions for the keytab.
    [root@rhel-server ~]# restorecon /etc/krb5.keytab
  9. Verify that the host can connect to the Active Directory domain.
    [root@rhel-server ~]# kinit -k -t /etc/krb5.keytab host/rhel-server.example.com@AD-REALM.EXAMPLE.COM
  10. On the Active Directory server, create a a group for the Linux users.
    1. Create a new group named unixusers.
    2. Open the unixusers group and open the Unix Attributes tab.
    3. Configure the Unix settings:
      • The NIS domain
      • The UID
      • The login shell, to /bin/bash
      • The home directory, to /home/aduser
      • The primary group name, to unixusers
  11. Then, configure the SSSD domain on the Linux machine.

    Example 30.2. An Active Directory 2008 Domain

    [root@rhel-server ~]# vim /etc/sssd/sssd.conf
    
    [sssd]
    config_file_version = 2
    domains = ad.example.com
    services = nss, pam
    
    [nss]
    
    [pam]
    
    [domain/ad.example.com]
    cache_credentials = true
    enumerate = false
    
    id_provider = ldap
    auth_provider = krb5
    chpass_provider = krb5
    access_provider = ldap
    
    ldap_sasl_mech = GSSAPI
    ldap_sasl_authid = host/rhel-server.example.com@AD-REALM.EXAMPLE.COM 
    
    
    ldap_schema = rfc2307bis
    
    ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
    ldap_user_object_class = user
    ldap_user_home_directory = unixHomeDirectory
    ldap_user_principal = userPrincipalName
    ldap_user_name = sAMAccountName
    
    ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
    ldap_group_object_class = group
    
    ldap_access_order = expire
    ldap_account_expire_policy = ad
    ldap_force_upper_case_realm = true
    ldap_disable_referrals = true
    
    #krb5_server = server.ad.example.com
    krb5_realm = AD-REALM.EXAMPLE.COM
    These options are described in the man page for LDAP domain configuration, sssd-ldap(5).
  12. Restart SSSD.
    [root@rhel-server ~]# service sssd restart