13.2.14. Configuring Domains: Active Directory as an LDAP Provider (Alternative)

While Active Directory can be configured as a type-specific identity provider, it can also be configured as a pure LDAP provider with a Kerberos authentication provider.

Procedure 13.7. Configuring Active Directory as an LDAP Provider

  1. It is recommended that SSSD connect to the Active Directory server using SASL, which means that the local host must have a service keytab for the Windows domain on the Linux host.
    This keytab can be created using Samba.
    1. Configure the /etc/krb5.conf file to use the Active Directory realm.
       default = FILE:/var/log/krb5libs.log
       default_realm = AD.EXAMPLE.COM
       dns_lookup_realm = true
       dns_lookup_kdc = true
       ticket_lifetime = 24h
       renew_lifetime = 7d
       rdns = false
       forwardable = false
      # Define only if DNS lookups are not working
      # AD.EXAMPLE.COM = {
      #  kdc = server.ad.example.com
      #  admin_server = server.ad.example.com
      #  master_kdc = server.ad.example.com
      # }
      # Define only if DNS lookups are not working
      # .ad.example.com = AD.EXAMPLE.COM
      # ad.example.com = AD.EXAMPLE.COM
    2. Set the Samba configuration file, /etc/samba/smb.conf, to point to the Windows Kerberos realm.
         workgroup = EXAMPLE
         client signing = yes
         client use spnego = yes
         kerberos method = secrets and keytab
         log file = /var/log/samba/%m.log
         password server = AD.EXAMPLE.COM
         realm = EXAMPLE.COM
         security = ads
    3. To initialize Kerberos, type the following command as root:
      ~]# kinit Administrator@EXAMPLE.COM
    4. Then, run the net ads command to log in as an administrator principal. This administrator account must have sufficient rights to add a machine to the Windows domain, but it does not require domain administrator privileges.
      ~]# net ads join -U Administrator
    5. Run net ads again to add the host machine to the domain. This can be done with the host principal (host/FQDN) or, optionally, with the NFS service (nfs/FQDN).
      ~]# net ads join createupn="host/rhel-server.example.com@AD.EXAMPLE.COM" -U Administrator
  2. Make sure that the Services for Unix package is installed on the Windows server.
  3. Set up the Windows domain which will be used with SSSD.
    1. On the Windows machine, open Server Manager.
    2. Create the Active Directory Domain Services role.
    3. Create a new domain, such as ad.example.com.
    4. Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
  4. On the Active Directory server, create a group for the Linux users.
    1. Open Administrative Tools and select Active Directory Users and Computers.
    2. Select the Active Directory domain, ad.example.com.
    3. In the Users tab, right-click and select Create a New Group.
    4. Name the new group unixusers, and save.
    5. Double-click the unixusers group entry, and open the Users tab.
    6. Open the Unix Attributes tab.
    7. Set the NIS domain to the NIS domain that was configured for ad.example.com and, optionally, set a group ID (GID) number.
  5. Configure a user to be part of the Unix group.
    1. Open Administrative Tools and select Active Directory Users and Computers.
    2. Select the Active Directory domain, ad.example.com.
    3. In the Users tab, right-click and select Create a New User.
    4. Name the new user aduser, and make sure that the User must change password at next logon and Lock account check boxes are not selected.
      Then save the user.
    5. Double-click the aduser user entry, and open the Unix Attributes tab. Make sure that the Unix configuration matches that of the Active Directory domain and the unixgroup group:
      • The NIS domain, as created for the Active Directory domain
      • The UID
      • The login shell, to /bin/bash
      • The home directory, to /home/aduser
      • The primary group name, to unixusers


    Password lookups on large directories can take several seconds per request. The initial user lookup is a call to the LDAP server. Unindexed searches are much more resource-intensive, and therefore take longer, than indexed searches because the server checks every entry in the directory for a match. To speed up user lookups, index the attributes that are searched for by SSSD:
    • uid
    • uidNumber
    • gidNumber
    • gecos
  6. On the Linux system, configure the SSSD domain.
    ~]# vim /etc/sssd/sssd.conf
    For a complete list of LDAP provider parameters, see the sssd-ldap(5) man pages.

    Example 13.9. An Active Directory 2008 R2 Domain with Services for Unix

    config_file_version = 2
    domains = ad.example.com
    services = nss, pam
    cache_credentials = true
    # for performance
    ldap_referrals = false
    id_provider = ldap
    auth_provider = krb5
    chpass_provider = krb5
    access_provider = ldap
    ldap_schema = rfc2307bis
    ldap_sasl_mech = GSSAPI
    ldap_sasl_authid = host/rhel-server.example.com@AD.EXAMPLE.COM 
    #provide the schema for services for unix
    ldap_schema = rfc2307bis
    ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
    ldap_user_object_class = user
    ldap_user_home_directory = unixHomeDirectory
    ldap_user_principal = userPrincipalName
    # optional - set schema mapping
    # parameters are listed in sssd-ldap
    ldap_user_object_class = user
    ldap_user_name = sAMAccountName
    ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
    ldap_group_object_class = group
    ldap_access_order = expire
    ldap_account_expire_policy = ad
    ldap_force_upper_case_realm = true
    ldap_referrals = false
    krb5_realm = AD-REALM.EXAMPLE.COM
    # required
    krb5_canonicalize = false
  7. Restart SSSD.
    ~]# service sssd restart