How to configure sssd on SLES 11 to resolve names and authenticate to Windows 2008 Active Directory

This document (7014572) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)

Situation

Environment were authentication and name resolution needs to occur by communicating to a Window 2008 Active Directory Domain.

This is an alternative to using winbind.  SSSD must be used as a solution, in lieu of winbind, when the primary group for a user, as listed on the Active Directory side of things MUST be different than the primary group for the user as listed on the Linux side of things.  This is due to recent changes in winbind (security fixes).  If the primary group is the same on the Windows and Linux sides, then sssd can be used as an optional alternative if desired.

Resolution

This document describes how to configure sssd on SLES 11 sp1 to perform name resolution and authentication using Kerberos and LDAP to a Windows 2008 Active Directory domain.

For the purposes of this document, the following naming is used:

domain = ad-domain.com
realm = AD-DOMAIN.COM
SLES 11 SP1 server (client) = client
SLES 11 SP1 server (client) fully qualified = client.ad-domain.com
Windows 2008 server (AD server) = adserver
Windows 2008 server (AD server) fully qualified = adserver.ad-domain.com
ipaddress of Windows 2008 server = 192.168.0.1
User = unixuser
Group = unixgroup

This document assumes a fully functional Windows 2008 Active Directory domain and network.  It will not go into troubleshooting or setup of communication between the SLES 11 SP1 server and the Windows 2008 server. 

Windows 2008 domain configuration:

1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] expand the domain that will contain the SLES 11 SP1 server & users - ad.domain.com.  If the domain doesn't exist yet, create a new domain.

2. Within the Computers folder, right click and choose New | Computer.  Create a computer object that will correspond to the SLES 11 SP1 server.  For our example, Computer name = client.  It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
 
3. Click Active Directory Domain Services under Roles in Service Manager.  Scroll the right hand window down to Role Services.  Choose Add Role Service and select - Identity Management for UNIX.  Use the domain created / used in step 1 as the NIS Domain Name.  For our example, NIS Domain name = ad-domain.com

4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] Within the Users folder, right click and choose New | Group.  Create a group object.  For our example, Group name = unixgroup
  - Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
    - Select the NIS domain set setup in Step 3.
    - Set GID (this will be according to your environment's configuration).  For our example, 10000

5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] Within the Users folder, right click and choose New | User.  Create a user object.  For our example, User logon name = unixuser. 
  - Uncheck User must change password at next logon and Account is disabled.
  - Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
    - Select the NIS domain as setup in Step 3.
    - Set UID (this will be according to your environment's configuration).  For our example, 10000
    - Set Login Shell (this will be according to your environment's configuration).  For our example, /bin/bash
    - Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
    - Set Primary Group Name/GID to unixgroup

SLES 11 SP1 server configuration:

1.  Check and install if needed the following packages: sssd, krb5, krb5-client, pam_krb5, sssd-tools

2.  Modify /etc/krb5.conf file to reflect actual configuration. Some environments may not need the included additional definition for [realm] and [domain_realm].   For our example, see the following:

[libdefaults]
    default_realm = AD-DOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    rdns = false
    forwardable = yes
    clockskew = 300

[realms]
    AD.DOMAIN.COM = {
        kdc = ADSERVER.AD-DOMAIN.COM
        default_domain = ad-domain.com
        admin_server = 192.168.0.1
    }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

[domain_realm]
    .AD-DOMAIN.COM = ad-domain.com
    AD-DOMAIN.COM = ad-domain.com

[appdefaults]
    pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd
    }

3.  Modify /etc/sssd/sssd.conf file to reflect actual configuration. For our example, see the following:

[sssd]
config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30
services = nss,pam
debug_level = 10

domains = AD-DOMAIN.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/AD-DOMAIN.COM]
description = LDAP domain with AD server
enumerate = false
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://192.168.0.1
ldap_schema = rfc2307bis
ldap_user_search_base = dc=ad-domain,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_group_search_base = dc=ad-domain,dc=com
ldap_group_object_class = group
ldap_force_upper_case_realm = false
ldap_access_order = expire
ldap_account_expire_policy = ad
krb5_realm = AD-DOMAIN.COM
krb5_server = 192.168.0.8
ldap_sasl_mech = gssapi
ldap_krb5_init_creds = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
ldap_sasl_authid = host/client.ad-domain.com@AD-DOMAIN.COM

4. Check resolution of Active Directory Domain from SLES 11 SP1 server.  It may be necessary to add the domain to /etc/hosts file is DNS resolution doesn't provide address for domain.  For our example, add the following to the /etc/hosts file.

  192.168.0.1    ad-domain.com adserver adserver.ad-domain.com

5. Create a Services Keytab for the SLES11 SP1 server

From the Windows 2008 server, open a command window and run the following commands to configure the computer object created for the SLES11 SP1 server and generate a keytab.  For our example, the commands would be:
  - setspn -A host/client.ad-domain.com@AD-DOMAIN.COM client
  - setspn -L client
  - ktpass /princ host/client.ad-domain.com@AD-DOMAIN.COM /out client-krb5.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD-DOMAIN.COM\client$ /pass *
Copy client-krb5.keytab to the SLES11 SP1 server, place it in the /etc directory and rename it to krb5-keytab

6. Verify Kerberos functionality and /etc/krb5.keytab.  For our example, the command would be:
  - kinit -k -t /etc/krb5.keytab 'host/client.ad-domain.com@AD-DOMAIN.COM'
  - kinit unixuser@AD-DOMAIN.COM
  - /usr/bin/ldapsearch -H ldap://adserver.ad-domain.com -Y GSSAPI -N -b "dc=ad-domain,dc=com" "(&(objectclass=user)(sAMAccountName=unixuser))"
 
7. Modify the /etc/nsswitch.conf file to include resolution through sss

passwd: files sss
group:  files sss

8. Add the pam_sss.so module to the pam.d files.  Always backup the /etc/pam.d files before making modifications and maintain an open/authenicated terminal session while testing until configuration success is validated.  Modification to pam.d files can result in the inability to authenicate any users including root.  For our example, pam.d files contain the following:

/etc/pam.d/common-auth
auth    required    pam_env.so   
auth    sufficient    pam_unix2.so   
auth    required    pam_sss.so    use_first_pass   

/etc/pam.d/common-account
account    requisite    pam_unix2.so   
account    sufficient    pam_localuser.so
account    required    pam_sss.so    use_first_pass

/etc/pam.d/common-session
session    required    pam_limits.so   
session    required    pam_unix2.so   
session    optional    pam_sss.so   
session    optional    pam_umask.so   

/etc/pam.d/common-password
password    requisite    pam_pwcheck.so    nullok cracklib
password    sufficient    pam_unix2.so    use_authtok nullok
password    required    pam_sss.so    use_authtok

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014572
  • Creation Date: 14-Feb-2014
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center