Chapter 6. Configuring the SSSD Container to Provide Identity and Authentication Services on Atomic Host

As a system administrator, you can use SSSD in a container to provide external identity, authentication, and authorization services for the Atomic Host system. This chapter describes how to run the SSSD container as privileged, which enables users from external identity sources (Identity Management or Active Directory) to leverage the services running on the Atomic host itself.

Alternatively, you can run the SSSD container as unprivileged, which enables users from external identity sources (Identity Management or Active Directory) to leverage the services running in other containers on the Atomic Host. This is covered in Chapter 7, Deploying SSSD Containers With Different Configurations.

Before you start, see:

To enroll the Atomic Host to an Identity Management server, see:

To enroll the Atomic Host to Active Directory, see:

6.1. Prerequisites

  • Upgrade the Atomic Host system before installing the container. See Upgrading and Downgrading in the Red Hat Enterprise Linux Atomic Host 7 Installation and Configuration Guide.

6.2. Enrolling to an Identity Management Domain Using a Privileged SSSD Container

This procedure describes how to install an SSSD container and configure it for enrollment against an Identity Management server. During the installation:

  • Various configuration and data are copied into the container.
  • The ipa-client-install utility for configuring an Identity Management client starts.
  • After a successful enrollment into the Identity Management domain, the configuration and data are copied back to the Atomic Host system.

Prerequisites

You need one of the following:

  • A random password for one-time client enrollment of the Atomic Host system to the Identity Management domain. To generate the password, add the Atomic Host system as an Identity Management host on the Identity Management server, for example:

    $ ipa host-add <atomic.example.com> --random
    [... output truncated ...]
      Random password: 4Re[>5]OB$3K($qYs:M&}B
    [... output truncated ...]

    For details, see Installing a Client in the Linux Domain Identity, Authentication, and Policy Guide.

  • Credentials of an Identity Management user allowed to enroll clients. By default, this is the admin user.

Procedure

  1. Start the sssd container installation by using the atomic install command, and provide the random password or credentials of an IdM user that is allowed to enroll new hosts. In most cases, this is the admin user.

    # atomic install rhel7/sssd --password "4Re[>5]OB$3K($qYs:M&}B"
    [... output truncated ...]
    Service sssd.service configured to run SSSD container.
    [... output truncated ...]
    # atomic install rhel7/sssd -p admin -w <admin_password>
    [... output truncated ...]
    Service sssd.service configured to run SSSD container.
    [... output truncated ...]

    The atomic install rhel7/sssd command accepts standard ipa-client-install options. Depending on your configuration, you might need to provide additional information using these options. For example, if ipa-client-install cannot determine the host name of your server and the domain name, use the --server and --domain options:

    # atomic install rhel7/sssd --password "4Re[>5]OB$3K($qYs:M&}B" --server <server.example.com> --domain <example.com>
    Note

    You can also pass options to ipa-client-install by storing them to the /etc/sssd/ipa-client-install-options file on the Atomic Host before running atomic install. For example, the file can contain:

    --password=4Re[>5]OB$3K($qYs:M&}B
    --server=server.example.com
    --domain=example.com
  2. Start SSSD in the container by using one of the following commands:

    # atomic run rhel7/sssd
    # systemctl start sssd
  3. Optional. Confirm that the container is running:

    # docker ps
    CONTAINER ID        IMAGE
    5859b9366f0f        rhel7/sssd
  4. Optional. Confirm that SSSD on the Atomic Host resolves identities from the Identity Management domain.

    1. Obtain a Kerberos ticket for an Identity Management user, and log in to the Atomic Host by using the ssh utility.

      $ atomic run sssd kinit <idm_user>
      $ ssh <idm_user>@<atomic.example.com>
    2. Use the id utility to verify that you are logged in as the intended user:

      $ id
      uid=1215800001(idm_user) gid=1215800001(idm_user) groups=1215800001(idm_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    3. Use the hostname utility to verify that you are logged in to the Atomic Host system:

      $ hostname
      atomic.example.com

6.3. Joining an Active Directory Domain Using an SSSD Container

This procedure describes how to install an SSSD container and configure it to join the Atomic Host system to Active Directory.

Procedure

  1. Save the password of a user allowed to enroll systems to the Active Directory domain, such as the Administrator, in the /etc/sssd/realm-join-password file on the Atomic Host system:

    # echo <password> > /etc/sssd/realm-join-password

    Providing the password in the file is necessary because the realm join command does not accept the password as a command-line parameter.

    Note

    If you want to specify a custom container image name later with the atomic install command to use instead of the default name (sssd), add the custom name to the path of the file: /etc/sssd/<custom_container_name>/realm-join-password.

  2. Start the sssd container installation by using the atomic install command, and specify the realm that you want to join. If you are using the default Administrator user account for the operation:

    # atomic install rhel7/sssd realm join <ad.example.com>
    docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join ad.example.com
    Initializing configuration context from host ...
    Password for Administrator:
    Copying new configuration to host ...
    Service sssd.service configured to run SSSD container.

    If you are using another user account, specify it with the --user option:

    # atomic install rhel7/sssd realm join --user <user_name> <ad.example.com>
  3. Start SSSD in the container by using one of the following commands:

    # atomic run rhel7/sssd
    # systemctl start sssd
  4. Optional. Confirm that the container is running:

    # docker ps
    CONTAINER ID        IMAGE
    5859b9366f0f        rhel7/sssd
  5. Optional. On the Atomic Host system, confirm that SSSD resolves identities from the Active Directory domain:

    # id administrator@<ad.example.com>
    uid=1397800500(administrator@ad.example.com) gid=1397800513(domain users@ad.example.com)

Additional Resources