13.2.13. Creating Domains: Active Directory
- Identities using a Windows security ID must be mapped to the corresponding Linux system user ID.
- Searches must account for the range retrieval extension.
- There may be performance issues with LDAP referrals.
Mapping Active Directory Securiy IDs and Linux User IDs
- Using Services for Unix to insert POSIX attributes on Windows user and group entries, and then having those attributes pulled into PAM/NSS
- Using ID mapping on SSSD to create a map between Active Directory security IDs (SIDs) and the generated UIDs on Linux
The Mechanism of ID Mapping
|_____________________________| | | minimum ID max ID
| slice 1 | slice 2 | ... | |_________|_________|_________| | | | | minimum ID max ID
| Active | Active | | |Directory|Directory| | |domain 1 |domain 2 | ... | | | | | | slice 1 | slice 2 | ... | |_________|_________|_________| | | | | minimum ID max ID
ID Mapping Parameters
ldap_id_mapping = True ldap_schema = ad
gidNumberattributes are ignored. This prevents any manually-assigned values. If any values must be manually assigned, then all values must be manually assigned, and ID mapping should be disabled.
- A system UID is created for the user based on his SID and the ID range for that domain.
- A GID is created for the user, which is identical to the UID.
- A private group is created for the user.
- A home directory is created, based on the home directory format in the
- A shell is created, according to the system defaults or the setting in the
- If the user belongs to any groups in the Active Directory domain, then, using the SID, SSSD adds the user to those groups on the Linux system.
Active Directory Users and Range Retrieval Searches
MaxValRange, which sets a limit on how many values for a multi-valued attribute will be returned. This is the range retrieval search extension. Essentially, this runs multiuple mini-searches, each returning a subset of the results within a given range, until all matches are returned.
memberattribute, each entry could have multiple values, and there can be multiple entries with that attribute. If there are 2000 matching results (or more), then
MaxValRangelimits how many are displayed at once; this is the value range. The given attribute then has an additional flag set, showing which range in the set the result is in:
member;range=99-499: cn=John Smith...
ldap_user_search_base— are not performant with range retrievals. Be cautious when configuring search bases in the Active Directory provider domain and consider what searches may trigger a range retrieval.
Performance and LDAP Referrals
ldap_referrals = false
Active Directory as Other Provider Types
advalue is a short-cut which automatically pulls in the parameters and values to configure a given provider for Active Directory. For example, using
access_provider = adto configure an Active Directory access provider expands to this configuration using the explicit LDAP provider parameters:
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad
Procedure 13.6. Configuring an Active Directory Identity Provider
*_providerparameters for a domain. Additionally, it is possible to load the native Active Directory schema for user and group entries, rather than using the default RFC 2307.
- Make sure that both the Active Directory and Linux systems have a properly configured environment.
- Name resolution must be properly configured, particularly if service discovery is used with SSSD.
- The clocks on both systems must be in sync for Kerberos to work properly.
- Set up the Linux system as an Active Directory client and enroll it within the Active Directory domain. This is done by configuring the Kerberos and Samba services on the Linux system.
- Set up Kerberos to use the Active Directory Kerberos realm.
- Open the Kerberos client configuration file.
~]# vim /etc/krb5.conf
- Configure the
[libdefaults]sections so that they connect to the Active Directory realm.
[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = falseIf autodiscovery is not used with SSSD, then also configure the
[domain_realm]sections to explicitly define the Active Directory server.
- Configure the Samba server to connect to the Active directory server.
- Open the Samba configuration file.
~]# vim /etc/samba/smb.conf
- Set the Active Directory domain information in the
[global] workgroup = EXAMPLE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = AD.EXAMPLE.COM realm = EXAMPLE.COM security = ads
- Add the Linux machine to the Active Directory domain.
- Obtain Kerberos credentials for a Windows administrative user.
~]# kinit Administrator
- Add the machine to the domain using the
~]# net ads join -k Joined 'server' to dns domain 'example.com'This creates a new keytab file,
/etc/krb5.keytab.List the keys for the system and check that the host principal is there.
~]# klist -k
authconfigto enable SSSD for system authentication.
# authconfig --update --enablesssd --enablesssdauth
- Set the Active Directory domain as an identity provider in the SSSD configuration, as shown in Example 13.7, “An Active Directory 2008 R2 Domain” and Example 13.8, “An Active Directory 2008 R2 Domain with ID Mapping”.
- Restart the SSH service to load the new PAM configuration.
~]# service sshd restart
- Restart SSSD after changing the configuration file.
~]# service sssd restart
Example 13.7. An Active Directory 2008 R2 Domain
~]# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = ad.example.com services = nss, pam ... [domain/ad.example.com] id_provider = ad ad_server = ad.example.com ad_hostname = ad.example.com auth_provider = ad chpass_provider = ad access_provider = ad # defines user/group schema type ldap_schema = ad # using explicit POSIX attributes in the Windows entries ldap_id_mapping = False # caching credentials cache_credentials = true # access controls ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true # performance ldap_referrals = false
ldap_schema) and ID mapping must be explicitly enabled (
Example 13.8. An Active Directory 2008 R2 Domain with ID Mapping
~]# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = ad.example.com services = nss, pam ... [domain/ad.example.com] id_provider = ad ad_server = ad.example.com ad_hostname = ad.example.com auth_provider = ad chpass_provider = ad access_provider = ad
# defines user/group schema type
ldap_schema = ad
# for SID-UID mapping
ldap_id_mapping = True# caching credentials cache_credentials = true # access controls ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true # performance ldap_referrals = false