13.2.14. Configuring Domains: Active Directory as an LDAP Provider (Alternative)

While Active Directory can be configured as a type-specific identity provider, it can also be configured as a pure LDAP provider with a Kerberos authentication provider.

Procedure 13.7. Configuring Active Directory as an LDAP Provider

  1. It is recommended that SSSD connect to the Active Directory server using SASL, which means that the local host must have a service keytab for the Windows domain on the Linux host.
    This keytab can be created using Samba.
    1. Configure the /etc/krb5.conf file to use the Active Directory realm. 
      [logging]
 default = FILE:/var/log/krb5libs.log

[libdefaults]
 default_realm = AD.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = false

[realms]
# Define only if DNS lookups are not working
# AD.EXAMPLE.COM = {
#  kdc = server.ad.example.com
#  admin_server = server.ad.example.com
#  master_kdc = server.ad.example.com
# }

[domain_realm]
# Define only if DNS lookups are not working
# .ad.example.com = AD.EXAMPLE.COM
# ad.example.com = AD.EXAMPLE.COM
    2. Set the Samba configuration file, /etc/samba/smb.conf, to point to the Windows Kerberos realm. 
      [global]
   workgroup = EXAMPLE
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   password server = AD.EXAMPLE.COM
   realm = EXAMPLE.COM
   security = ads
    3. To initialize Kerberos, type the following command as root: 
      ~]# kinit Administrator@EXAMPLE.COM
    4. Then, run the net ads command to log in as an administrator principal. This administrator account must have sufficient rights to add a machine to the Windows domain, but it does not require domain administrator privileges. 
      ~]# net ads join -U Administrator
    5. Run net ads again to add the host machine to the domain. This can be done with the host principal (host/FQDN) or, optionally, with the NFS service (nfs/FQDN). 
      ~]# net ads join createupn="host/rhel-server.example.com@AD.EXAMPLE.COM" -U Administrator
  2. Make sure that the Services for Unix package is installed on the Windows server.
  3. Set up the Windows domain which will be used with SSSD.
    1. On the Windows machine, open Server Manager.
    2. Create the Active Directory Domain Services role.
    3. Create a new domain, such as ad.example.com.
    4. Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
  4. On the Active Directory server, create a group for the Linux users.
    1. Open Administrative Tools and select Active Directory Users and Computers.
    2. Select the Active Directory domain, ad.example.com.
    3. In the Users tab, right-click and select Create a New Group.
    4. Name the new group unixusers, and save.
    5. Double-click the unixusers group entry, and open the Users tab.
    6. Open the Unix Attributes tab.
    7. Set the NIS domain to the NIS domain that was configured for ad.example.com and, optionally, set a group ID (GID) number.
  5. Configure a user to be part of the Unix group.
    1. Open Administrative Tools and select Active Directory Users and Computers.
    2. Select the Active Directory domain, ad.example.com.
    3. In the Users tab, right-click and select Create a New User.
    4. Name the new user aduser, and make sure that the User must change password at next logon and Lock account check boxes are not selected.
      Then save the user.
    5. Double-click the aduser user entry, and open the Unix Attributes tab. Make sure that the Unix configuration matches that of the Active Directory domain and the unixgroup group:
      • The NIS domain, as created for the Active Directory domain
      • The UID
      • The login shell, to /bin/bash
      • The home directory, to /home/aduser
      • The primary group name, to unixusers

    Note

    Password lookups on large directories can take several seconds per request. The initial user lookup is a call to the LDAP server. Unindexed searches are much more resource-intensive, and therefore take longer, than indexed searches because the server checks every entry in the directory for a match. To speed up user lookups, index the attributes that are searched for by SSSD:
    • uid
    • uidNumber
    • gidNumber
    • gecos
  6. On the Linux system, configure the SSSD domain. 
    ~]# vim /etc/sssd/sssd.conf
    For a complete list of LDAP provider parameters, see the sssd-ldap(5) man pages.

    Example 13.9. An Active Directory 2008 R2 Domain with Services for Unix

    [sssd]
config_file_version = 2
domains = ad.example.com
services = nss, pam

...

[domain/ad.example.com]
cache_credentials = true

# for performance
ldap_referrals = false

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_schema = rfc2307bis

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhel-server.example.com@AD.EXAMPLE.COM 

#provide the schema for services for unix
ldap_schema = rfc2307bis

ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

# optional - set schema mapping
# parameters are listed in sssd-ldap
ldap_user_object_class = user
ldap_user_name = sAMAccountName

ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_referrals = false

krb5_realm = AD-REALM.EXAMPLE.COM
# required
krb5_canonicalize = false
  7. Restart SSSD. 
    ~]# service sssd restart