SSSD: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
SSSD obsoletes the old nss_ldap & pam_ldap combination and is also an successor to nss-pam-ldapd and pam_krb5. | |||
The following examples have been tested against Active Directory in 2003 mode. | The following examples have been tested against Active Directory in 2003 mode. | ||
Revision as of 12:29, 13 May 2013
SSSD obsoletes the old nss_ldap & pam_ldap combination and is also an successor to nss-pam-ldapd and pam_krb5.
The following examples have been tested against Active Directory in 2003 mode.
Basic configuration
File: /etc/nsswitch.conf
passwd: compat sss shadow: compat sss group: compat sss
File: /etc/pam.d/system-auth
auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so use_first_pass auth optional pam_permit.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_sss.so use_authtok password optional pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_sss.so session optional pam_permit.so
# /etc/init.d/sssd start
# rc-update add sssd default
LDAP (works without Samba)
File: /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = YOURDOMAIN [nss] filter_users = root,named,avahi,dbus,radiusd,news,nscd override_homedir = /home/%d/%u fallback_homedir = /home/%d/%u default_shell = /bin/bash [pam] [domain/YOURDOMAIN] id_provider = ldap auth_provider = ldap access_provider = ldap chpass_provider = ldap ldap_uri = ldap://yourdc.yourdomain.local/ ldap_search_base = dc=yourdomain,dc=local ldap_default_bind_dn = adbinduser ldap_default_authtok = adbinduserpassword ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts # defines user/group schema type ldap_schema = ad # for SID-UID mapping ldap_id_mapping = true # disable case sensitive user names case_sensitive = false # caching credentials cache_credentials = true enumerate = false # access controls ldap_access_order = expire ldap_account_expire_policy = ad # performance ldap_disable_referrals = true override_homedir = /home/%d/%u fallback_homedir = /home/%d/%u default_shell = /bin/bash
AD (requires Samba)
First you need to setup Kerberos, configure and join Samba to your domain.
File: /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = YOURDOMAIN [nss] override_homedir = /home/%u fallback_homedir = /home/%u default_shell = /bin/bash [pam] [domain/YOURDOMAIN] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = yourdc.yourdomain.local ad_domain = YOURDOMAIN.LOCAL case_sensitive = False override_homedir = /home/%u fallback_homedir = /home/%u default_shell = /bin/bash
Testing
# getent passwd domainuser
has to return a full working passwd entry including uid/guid, home directory and shell to be able to login.