Tuesday, September 11, 2012

SSSD and LDAP/Krb5 Authentication for Microsoft Domains - Updated!

So my previous post from earlier had a few performance issues and since then learned a few other things.  Though my findings might have been due to the updated documentation of the service.

For those of you just tuning in SSSD replaces things like Quest Authentication Services (QAS) and Samba's Winbind packages and methodologies.  While similar, it remains quite different.

The first thing you'll probably notice in comparison to my previous post, it is significantly shorter.  I disabled most of the timeouts that I attempted to override as the defaults seem quite sufficient.  I'm still testing some of the changes I've made thus far, but the authentication period seems to have improved.

Anyway, begin by backing up the original files of /etc/krb5.conf /etc/sssd/sssd.conf and your /etc/samba/smb.conf and modifying the originals...(saves you the trouble of trying to fix the permissions that are in place of the originals when things don't work.

Also note that if you are using sssd, remove or disable the nscd package as sssd handles the caching for you.

Also make sure you have a working 'ntp' service, I'll include a basic config that seems to be ok for the job.

(change paths and domain names as required)

# tar cpvfz ~/originalsssdconfs.tgz /etc/krb5.conf /etc/sssd/sssd.conf /etc/samba/smb.conf


# cat /etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.pool.ntp.org iburst
server 1.pool.ntp.org
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
# authconfig --enablesssd --enablesssdauth --enablemkhomedir



# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
kdc_timesync = 1
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
# cat /etc/smb/smb.conf
realm=EXAMPLE.COM
workgroup=EXAMPLE
security = ADS
encrypt passwords = yes
password server = example.com
kerberos method = system keytab
# cat sssd.conf
[sssd]
config_file_version = 2
debug_level = 0
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = EXAMPLE.COM
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
#reconnection_retries = 3
#entry_cache_nowait_percentage = 75
#entry_cache_timeout = 30
[pam]
#reconnection_retries = 3
[domain/EXAMPLE.COM]
#ldap_search_timeout = 2
#ldap_network_timeout = 0
#entry_cache_timeout = 900
#ldap_krb5_ticket_lifetime = 86400
ldap_id_use_start_tls = False
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_group_member = member
ldap_user_member_of = distinguishedname
ldap_user_krb_last_pwd_change = pwdLastSet
ldap_user_uid_number = uidNumber
chpass_provider = krb5
enumerate = True
cache_credentials = True
ldap_force_upper_case_realm = True
ldap_user_principal = userPrincipalName
ldap_user_object_class = user
ldap_user_gid_number = gidNumber
ldap_group_modify_timestamp = whenChanged
ldap_group_object_class = group
ldap_group_name = cn
ldap_user_name = sAMAccountName
ldap_ns_account_lock = userAccountControl
auth_provider = krb5
krb5_realm = EXAMPLE.COM
ldap_sasl_mech = gssapi
id_provider = ldap
ldap_user_ad_account_expires = userAccountControl
ldap_user_shell = loginShell
ldap_schema = rfc2307bis
ldap_krb5_init_creds = True
ldap_search_base = dc=example,dc=com
ldap_user_home_directory = unixHomeDirectory
ldap_user_modify_timestamp = whenChanged
ldap_group_gid_number = gidNumber
ldap_referrals = false
#ldap_group_nesting_level = 2
ldap_access_order=expire,filter
ldap_account_expire_policy=ad
ldap_deref=never
krb5_renewable_lifetime=90m
# net -U <username> join createupn=host/$(hostname -f)@EXAMPLE.COM createcomputer=computers osName="$(lsb_release -si)" osVer="$(lsb_release -sr)"

# service sshd restart
# service sssd restart

If you have to make some changes to your configs there are several 'man' pages available ( man sssd, man sssd-krb5, man sssd-ldap) are among the more common and useful.

If you've found this quick reference useful please let me know...I'd be happy to know that somebody is working off of my doc. :)

1 comment:

  1. Just thought you might like to be made aware of the plans for SSSD 1.9.0 (currently in feature-complete beta) that includes an AD provider option to significantly reduce configuration and provide the option of using mapped objectSID UID/GID if POSIX attributes are not available.

    See the release notes for the 1.9.0 betas at https://fedorahosted.org/sssd/wiki/Releases for more details. 1.9.0 final will be released within the next few weeks and included in the Fedora 18 beta and later into Red Hat Enterprise Linux 6.4.

    ReplyDelete