Configuring Active Directory as an LDAP Domain

While Active Directory (AD) can be configured as a type-specific identity provider for the System Security Services Daemon (SSSD), it can also be configured as a pure LDAP identity provider with a Kerberos authentication provider.

1. It is recommended that SSSD connect to the AD server using SASL, which means that the local host must have a service keytab for the Windows domain on the Linux host.

   This keytab can be created using Samba.

   1. Configure the /etc/krb5.conf file to use the Active Directory realm.

      [logging]
       default = FILE:/var/log/krb5libs.log
      
      [libdefaults]
       default_realm = AD.EXAMPLE.COM
       dns_lookup_realm = true
       dns_lookup_kdc = true
       ticket_lifetime = 24h
       renew_lifetime = 7d
       rdns = false
       forwardable = true
      
      [realms]
      # Define only if DNS lookups are not working
      # AD.EXAMPLE.COM = {
      #  kdc = server.ad.example.com
      #  admin_server = server.ad.example.com
      # }
      
      [domain_realm]
      # Define only if DNS lookups are not working
      # .ad.example.com = AD.EXAMPLE.COM
      # ad.example.com = AD.EXAMPLE.COM
      

   2. Set the Samba configuration file, /etc/samba/smb.conf, to point to the Windows Kerberos realm.

      [global]
         workgroup = EXAMPLE
         client signing = yes
         client use spnego = yes
         kerberos method = secrets and keytab
         log file = /var/log/samba/%m.log
         password server = AD.EXAMPLE.COM
         realm = EXAMPLE.COM
         security = ads
      

   3. Then, run the net ads command to log in as an administrator principal. This administrator account must have sufficient rights to add a machine to the Windows domain, but it does not require domain administrator privileges.

      [root@server ~]# net ads join -U Administrator
      

   4. Run net ads again to add the host machine to the domain. This can be done with the host principal (host/FQDN) or, optionally, with the NFS service (nfs/FQDN).

      [root@server ~]# net ads join createupn="host/rhel-server.example.com@AD.EXAMPLE.COM" -U Administrator
      

2. Make sure that the Services for Unix package is installed on the Windows server.

3. Set up the Windows domain which will be used with SSSD.

   1. On the Windows machine, open Server Manager.

   2. Create the AD Domain Services role.

   3. Create a new domain, such as ad.example.com.

   4. Add the Identity Management for UNIX service to the AD Domain Services role. Use the Unix NIS domain as the domain name in the configuration.

4. On the AD server, create a group for the Linux users.

   1. Open Administrative Tools and select AD Users and Computers.

   2. Select the AD domain, ad.example.com.

   3. In the Users tab, right-click and select Create a New Group.

   4. Name the new group unixusers, and save.

   5. Double-click the unixusers group entry, and open the Users tab.

   6. Open the Unix Attributes tab.

   7. Set the NIS domain to the NIS domain that was configured for ad.example.com and, optionally, set a group ID (GID) number.

5. Configure a user to be part of the Unix group.

   1. Open Administrative Tools and select AD Users and Computers.

   2. Select the AD domain, ad.example.com.

   3. In the Users tab, right-click and select Create a New User.

   4. Name the new user aduser, and make sure that the User must change password at next logon and Lock account check boxes are not selected.

      Then save the user.

   5. Double-click the aduser user entry, and open the Unix Attributes tab. Make sure that the Unix configuration matches that of the AD domain and the unixgroup group:

      • The NIS domain, as created for the AD domain

      • The UID

      • The login shell, to /bin/bash

      • The home directory, to /home/aduser

      • The primary group name, to unixusers

   Note: Password lookups on large directories can take several seconds per request. The initial user lookup is a call to the LDAP server. Unindexed searches are much more resource-intensive, and therefore take longer, than indexed searches because the server checks every entry in the directory for a match. To speed up user lookups, index the attributes that are searched for by SSSD:

   • uid

   • uidNumber

   • gidNumber

   • gecos

6. On the Linux system, configure the SSSD domain.

   [root@rhel-server ~]# vim /etc/sssd/sssd.conf
   

   For a complete list of LDAP provider parameters, see the sssd-ldap(5) man pages.

   Example: An AD 2008 R2 Domain with Services for Unix:

   [sssd]
   config_file_version = 2
   domains = ad.example.com
   services = nss, pam
   
   ...
   
   [domain/ad.example.com]
   cache_credentials = true
   
   # for performance
   ldap_referrals = false
   
   id_provider = ldap
   auth_provider = krb5
   chpass_provider = krb5
   access_provider = ldap
   
   ldap_schema = rfc2307bis
   
   ldap_sasl_mech = GSSAPI
   ldap_sasl_authid = host/rhel-server.example.com@AD.EXAMPLE.COM
   
   #provide the schema for services for unix
   ldap_schema = rfc2307bis
   
   ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
   ldap_user_object_class = user
   ldap_user_home_directory = unixHomeDirectory
   ldap_user_principal = userPrincipalName
   
   # optional - set schema mapping
   # parameters are listed in sssd-ldap
   ldap_user_object_class = user
   ldap_user_name = sAMAccountName
   
   ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
   ldap_group_object_class = group
   
   ldap_access_order = expire
   ldap_account_expire_policy = ad
   
   krb5_realm = AD-REALM.EXAMPLE.COM
   # required
   krb5_canonicalize = false
   

7. Restart SSSD.

   [root@rhel-server ~]# systemctl restart sssd.service