As an update to my previous post “Linux SSH + PAM + LDAP + 2003 R2 AD Deployment“, SSSD is now part of the base RHEL6 repository (soon CentOS6 as well) which makes it much faster and easier to implement LDAP/AD authentication. In regards to configuring Active Directory, not too much has changed since my previous post so you’ll need to hit up the previous guide for a complete guide. So lets get to it..
Installing and Configuring PAM/LDAP/SSSD (tested on RHEL6):
Get some base packages:
# yum install openldap pam pam_ldap pam_krb5 ntp sssdConfigure /etc/sssd/sssd.conf (make sure you update ldap_default_authtok to your LDAP/AD user password). If you recreate sssd.conf be sure to chmod 600 or the service will fail to start:
# vi /etc/sssd/sssd.conf [sssd] domains = LDAP services = nss, pam config_file_version = 2 sbus_timeout = 30 [nss] filter_groups = root filter_users = root [pam] offline_credentials_expiration = 0 [domain/LDAP] description = LDAP domain with AD server debug_level = 9 enumerate = false min_id = 1000 access_provider = ldap # Restrict access to a certain group, update or comment this out ldap_access_filter = memberOf=cn=LinuxUsers,ou=Groups,dc=domain,dc=com id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://dc1.domain.com, ldap://dc2.domain.com ldap_search_base = dc=domain,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs # User that can read from AD, any normal user should work. Update as necessary ldap_default_bind_dn = cn=ldapuser,ou=Users,dc=domain,dc=com # Leave this as password ldap_default_authtok_type = password # The ldap users actual password, update as necessary ldap_default_authtok = ldapusers_password ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs ldap_schema = rfc2307bis ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_force_upper_case_realm = True # kerberos config auth_provider = krb5 krb5_server = dc1.domain.com, dc2.domain.com krb5_realm = DOMAIN.COM krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 cache_credentials = True
Configure /etc/krb5.conf:
# vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] KEMPERVALVE.COM = { kdc = dc1.domain.com kdc = dc2.domain.com } [domain_realm] .DOMAIN.COM = DOMAIN.COM DOMAIN.COM = DOMAIN.COM domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Update authentication methods (if authconfig is unavailable you’ll have to manual edit the order in /etc/pam.d/password-auth):
# authconfig --enablemkhomedir --enablesssdauth --updateallVerify nsswitch.conf was updated with sss:
# vi /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss
Enable SSSD on boot, start if necessary (should be running already):
# chkconfig sssd on # /etc/rc.d/init.d/sssd start
Giving SUDO permissions (Optional) Add the group you configured in AD to your sudoers file using %groupname (case sensitive). Example:
# vi /etc/sudoers # Give our Windows Group linuxusers (system admins), ALL commands. %LinuxUsers ALL=(ALL) ALL
Test AD authentication and that the users home directory was created (/home/username). Be sure to add ntpdate to a cron job to keep the time in sync with your domain controller.