How to configure sssd on SLES to use ldap to Active Directory

This document (7022263) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)

Situation

User in Active Directory need to be able to login on SLES 

Resolution

This procedure will work for both SLES 11 and SLES 12

1.  Join SLES 11 server to Active Directory domain back end
                                                      
A.  Gather Windows 2012 R2 Active Directory information

Windows AD Information
Domain = AD.DOMAIN.COM
Windows Server Name = WIN2012SRV
Windows Server IPADDRESS = 192.168.157.131
AD Administrator = cn=Administrator.users.ad.domain.com
Create test user = Jane Doe / jdoe
-  
B.  Install krb5-client and samba client

zypper ref 
zypper in krb5-client 
zypper in samba-client

C. Configure /etc/krb5.conf,
[libdefaults]
default_realm = AD.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
[realms]

        AD.DOMAIN.COM = {
                 kdc = win2012srv.ad.domain.com
                 master_kdc = win2012srv.ad.domain.com
                 admin_server = win2012srv.ad.domain.com
        }
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm]
        .ad.domain.com = AD.DOMAIN.COM
        ad.domain.com = AD.DOMAIN.COM

D.  /etc/samba/smb.conf
[global]
        workgroup = AD
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.mmsprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = AD.DOMAIN.COM
        security = ADS
        template homedir = /home/%u
        template shell = /bin/bash
        winbind refresh tickets = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab
        client signing = yes
        client use spnego = yes

, E.   /etc/hosts
192.168.157.131  win2012srv win2012srv.ad.domain.com ad ad.domain.com

  F.  Join the AD domain

kinit Administrator

net ads join -k

2.  Configure AD server and users for Unix Identity Management

A.  Install Identity Managment for Unix Component on Windows server
- Start a power shell as administrator
- dism.exe /online /enable-feature /featurename:adminui /all 
- Restart windows server

B.   Add attributes to AD user necessary for resolution on Linux

-  Modify a group and add “Unix” attributes
-  Modify user and add “Unix” attributes

3.  Test GSSAPI connectivity with ldapsearch
/usr/bin/ldapsearch -H ldap://win2012srv.ad.domain.com/ -Y GSSAPI -N -b "dc=ad,dc=domain,dc=com" "(& objectClass=user)(uid=jdoe))"
4.  Configure SSSD 
                                                      
A.  Install sssd package

zypper ref 
zypper in sssd

B.  Modify /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 6
services = nss, pam

domains =  AD

[nss]
filter_users = root
filter_groups = root

[domain/AD]
debug_level = 6
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://win2012srv.ad.domain.com
ldap_search_base = dc=ad,dc=domain,dc=com
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_server = win2012srv.ad.domain.com
krb5_realm = AD.DOMAIN.COM

5.  Configure NSS  
                                                      
A.  Modify /etc/nsswitch.conf
passwd: files sss 
group: files sss

B.   Modify /etc/nscd.conf
enable-cache passwd no 
enable-cache group no

   C.  Stop nscd 
SLES 12: systemctl stop nscd 
SLES 11: /etc/init.d/nscd stop

D.  Start  sssd
SLES 12: systemctl start sssd 
SLES 11: /etc/init.d/sssd start
 
6.  Configure PAM  
                                                 
A.  Modify /etc/pam.d/common files add pam_sss.so
/etc/pam.d/common-auth
auth    sufficient        pam_sss.so     use_first_pass
/etc/pam.d/common-account
account   sufficient      pam_sss.so    use_first_pass
/etc/pam.d/common-session
session    sufficient     pam_sss.so     use_first_pass
session    sufficient   pam_mkhomedir.so                 
/etc/pam.d/common-password
password     sufficient     pam_sss.so 
7.  Test Resolution and Authentication

A.  Resolution
  id  <userid>
getent passwd <userid>

B.  Authentication
ssh <userid>@localhost

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022263
  • Creation Date: 01-Nov-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center