RHEL with AD using SSSD.
My previous post assumed many setup constraints which might not be true.
Here are some simple steps to start off with SSSD configuration.
Here are some simple steps to start off with SSSD configuration.
Preparation for SSSD.
Prerequisite installations.
yum install sssd sssd-client krb5-workstation samba openldap-clients open-ssl authconfig
Update /etc/resolve.conf
on slave
nodes.
And then we update the
/etc/resolve.conf
file with the direct IP
of External Server 172.14.14.174
, as slave
node now should be able to communicate to the External Server.; generated by /sbin/dhclient-script
nameserver 172.14.14.174 ; IP for the DNS server, this happens to be the xyzserver.
nameserver 172.14.14.141 ; IP for the DNS server, this happens to be the abcserver.
Testing if
ping
works. [root@slave-server ~]# ping xyzserver.xyzdomain.com
PING xyzserver.xyzdomain.com (172.14.14.174) 56(84) bytes of data.
64 bytes from 172.14.14.174: icmp_seq=1 ttl=127 time=0.866 ms
64 bytes from 172.14.14.174: icmp_seq=2 ttl=127 time=1.09 ms
64 bytes from 172.14.14.174: icmp_seq=3 ttl=127 time=1.12 ms
64 bytes from 172.14.14.174: icmp_seq=4 ttl=127 time=0.933 ms
^C
--- xyzserver.xyzdomain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7042ms
rtt min/avg/max/mdev = 0.866/1.004/1.122/0.112 ms
[root@slave-server ~]#
[root@slave-server ~]# ping abcserver.abcdomain.com
PING abcserver.abcdomain.com (172.14.14.141) 56(84) bytes of data.
64 bytes from 172.14.14.141: icmp_seq=1 ttl=127 time=0.866 ms
64 bytes from 172.14.14.141: icmp_seq=2 ttl=127 time=1.09 ms
64 bytes from 172.14.14.141: icmp_seq=3 ttl=127 time=1.12 ms
64 bytes from 172.14.14.141: icmp_seq=4 ttl=127 time=0.933 ms
^C
--- abcserver.abcdomain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7042ms
rtt min/avg/max/mdev = 0.866/1.004/1.122/0.112 ms
[root@slave-server ~]#
Create a bind user on both domains ABCDOMAIN and XYZDOMAIN.
Open the Active directory and create a user called
xyzdomainuser
user in XYZDOMAIN
, and abcdomainuser
in ABCDOMAIN
.
We will using these users to join
DOMAIN
using the ldap_default_bind_dn
, will get to this later on.
Setting krb5
configuration.
Setting up the krb setting to communicate with AD using Kerberos.
[libdefaults]
default_realm = XYZDOMAIN.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
XYZDOMAIN.COM = {
kdc = xyzserver.xyzdomain.com
admin_server = xyzserver.xyzdomain.com
}
ABCDOMAIN.COM = {
kdc = abcserver.abcdomain.com
admin_server = abcserver.abcdomain.com
}
[domain_realm]
abcdomain.com = ABCDOMAIN.COM
.abcdomain.com = .ABCDOMAIN.COM
xyzdomain.com = XYZDOMAIN.COM
.xyzdomain.com = .XYZDOMAIN.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
Testing krb5
setup.
Once we have the configuration we will use
kinit
to test (Test both users).[root@slave-server ~]# kinit xyzdomainuser@XYZDOMAIN.COM
Password for xyzdomainuser@XYZDOMAIN.COM:
[root@slave-server ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xyzdomainuser@XYZDOMAIN.COM
Valid starting Expires Service principal
09/12/15 08:37:56 09/12/15 18:38:03 krbtgt/XYZDOMAIN.COM@XYZDOMAIN.COM
renew until 09/19/15 08:37:56
[root@slave-server ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xyzdomainuser@XYZDOMAIN.COM
Valid starting Expires Service principal
09/12/15 08:37:56 09/12/15 18:38:03 krbtgt/XYZDOMAIN.COM@XYZDOMAIN.COM
renew until 09/19/15 08:37:56, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
Now we are able to connect to ldap and get the tgt as well. so we are ready for the next steps.
Testing ldapsearch
from the Linux server.
This step is to make sure that our active directory is accessible. And we are able to search users and groups from Linux nodes. Goto linux machine and execute the below command.
ldapsearch -v -x -H ldap://xyzserver.xyzdomain.com/ -D "cn=xyzdomainuser,cn=Users,dc=xyzdomain,dc=com" -W -b "cn=xyzuser2,ou=cmlab,dc=xyzdomain,dc=com"
ldapsearch -v -x -H ldap://abcserver.xyzdomain.com/ -D "cn=abcdomainuser,cn=Users,dc=abcdomain,dc=com" -W -b "cn=xyzuser2,ou=cmlab,dc=abcdomain,dc=com"
Here are some more details about the options above.
More details here :
http://linuxcommand.org/man_pages/ldapsearch1.html
-v Run in verbose mode, with many diagnostics written to standard output.
-x Use simple authentication instead of SASL.
-H ldapuri
Specify URI(s) referring to the ldap server(s).
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
Above we are trying to search for information about
xyzuser2
using the user xyzdomainuser
. When you execute the command above we need to enter the password for xyzdomainuser
. Assuming xyzuser2
user is present in the DOMAIN. Creating SSSD Configuration.
Finally we are ready to configure SSSD. Below are the SSSD configuration to connect to
xyzdomain.com
.
NOTE: IMPORTANT. Make sure we have AD server certificates stored in
/etc/openldap/cacerts/
.
Example :
XYZDOMAIN will have `/etc/openldap/cacerts/ssl-cacerts-xyzdomain.cer`
ABCDOMAIN will have `/etc/openldap/cacerts/ssl-cacerts-abcdomain.cer`
without this
ldaps
will not work and SSSD will also not work for authentication and might have to use krb5
to authenticate.
If we want to connect to multiple AD servers, then we need to add multiple
[domain/abcdomain.com]
in the configuration. [sssd]
config_file_version = 2
debug_level = 0
domains = xyzdomain.com, abcdomain.com
services = nss, pam
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1
[pam]
reconnection_retries = 3
[domain/xyzdomain.com]
debug_level = 8
id_provider = ldap
auth_provider = ldap
chpass_provider = krb5
access_provider = simple
cache_credentials = false
min_id = 1000
ad_server = xyzserver.xyzdomain.com
ldap_uri = ldaps://xyzserver.xyzdomain.com:389
ldap_schema = ad
krb5_realm = XYZDOMAIN.COM
ldap_id_mapping = true
cache_credentials = false
entry_cache_timeout = 3
ldap_referrals = false
ldap_default_bind_dn = CN=xyzdomainuser,CN=Users,DC=xyzdomain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = Welcome@123
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacert = /etc/openldap/cacerts/ssl-cacerts-xyzdomain.cer
###################################################
# Update below with another AD server as required #
###################################################
[domain/abcdomain.com]
debug_level = 8
id_provider = ldap
auth_provider = ldap
chpass_provider = krb5
access_provider = simple
cache_credentials = false
min_id = 1000
ad_server = abcserver.abcdomain.com
ldap_uri = ldaps://abcserver.abcdomain.com/:389
ldap_schema = ad
krb5_realm = ABCDOMAIN.COM
ldap_id_mapping = true
cache_credentials = false
entry_cache_timeout = 3
ldap_referrals = false
ldap_default_bind_dn = CN=abcdomainuser,CN=Users,DC=abcdomain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = Welcome@123
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacert = /etc/openldap/cacerts/ssl-cacerts-abcdomain.cer
Install
oddjob-mkhomedir
to auto create the directory whenever a user logs in.yum install oddjob-mkhomedir
Enable
sssd
, localauth
and update the configuration. authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
NOTE : Check the
You can remove it and make the
sssd.conf
again, sometimes authconfig
will insert the default
domain.You can remove it and make the
sssd.conf
file similar to what we have above.
Start
sssd
services.service sssd start
service oddjobd start
Testing our setup.
Checking our user, who is present in the Active Directory
XYZDOMAIN
.[root@slave-server ~]# id xyzdomainuser
uid=62601149(xyzdomainuser) gid=62600513(Domain Users) groups=62600513(Domain Users),62601134(supergroup),62601133(hdfs)
[root@slave-server ~]# su xyzdomainuser
[xyzdomainuser@slave-server root]$ cd ~
[xyzdomainuser@slave-server ~]$ pwd
/home/xyzdomainuser
Next we try to login from remote.
[xyzdomainuser@slave-server ~]$ exit
exit
[root@slave-server ~]# ssh xyzdomainuser@slave-server
xyzdomainuser@slave-server's password:
Last login: Sat Sep 12 07:46:15 2015 from slave-server.xyzdomain.com
[xyzdomainuser@slave-server ~]$ pwd
/home/xyzdomainuser
[xyzdomainuser@slave-server ~]$ id
uid=62601149(xyzdomainuser) gid=62600513(Domain Users) groups=62600513(Domain Users),62601133(hdfs),62601134(supergroup)
[xyzdomainuser@slave-server ~]$
We are able to and the
/home/xyzdomainuser
is autocreated when the user logged-in.
Now checking users for
ABCDOMAIN
. [root@slave-server ~]# id abcdomainuser
uid=1916401111(abcdomainuser) gid=1916400513 groups=1916400513,1916401114(supergroup-test),1916401113(hadoop-test),1916401112,1916401112
[root@slave-server ~]# id abcdomainuser
uid=1916401111(abcdomainuser) gid=1916400513 groups=1916400513,1916401114(supergroup-test),1916401113(hadoop-test),1916401112,1916401112
[root@slave-server ~]# su abcdomainuser
sh-4.1$ pwd
/root
sh-4.1$ cd ~
sh-4.1$ pwd
/home/abcdomainuser
sh-4.1$ id
uid=1916401111(abcdomainuser) gid=1916400513 groups=1916400513,1916401112,1916401113(hadoop-test),1916401114(supergroup-test)
sh-4.1$ exit
exit
We are done.
Comments
Post a Comment