Environment
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
Open Enterprise Server 11 SP3 (OES11 SP3)
Domain Services for Windows
DSfW
Windows 2008R2
Situation
How to configure sssd with LDAP authentication (no kerberos) to Windows 2008 R2 AD or OES11SP3 Domain Services for Windows.
NOTE: It is however preferred to rather use SAMBA with SLES 11 when connecting to Active Directory.
NOTE: It is however preferred to rather use SAMBA with SLES 11 when connecting to Active Directory.
Resolution
This document describes how to configure sssd on SLES 11 sp3 to perform name resolution and authentication using LDAP (no kerberos) to a Windows 2008 Active Directory domain or a Domain Services for Windows domain.
For the purposes of this document, the following naming is used :
domain = ad-domain.comrealm = AD-DOMAIN.COM
SLES 11 SP3 server (client) = client
SLES 11 SP3 server (client) fully qualified = client.ad-domain.com
Windows 2008R2 server (AD server) = adserver
Windows 2008R2 server (AD server) fully qualified = adserver.ad-domain.com
ipaddress of Windows 2008R2 server = 192.168.0.1
User = user1
Group = group1
Windows 2008R2/DSfW domain configuration:
1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] expand the domain that will contain the SLES 11 SP3 server & users - ad.domain.com. If the domain doesn't exist yet, create a new domain.
2. Within the Computers folder, right click and choose New | Computer. Create a computer object that will correspond to the SLES 11 SP3 server. For our example, Computer name = client. It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
3. For Windows 2008R2 only (not DSfW), click Active Directory Domain Services under Roles in Server Manager. Scroll the right hand window down to Role Services. Choose Add Role Service and select - Identity Management for UNIX. Use the domain created / used in step 1 as the NIS Domain Name. For our example, NIS Domain name = ad-domain.com.
4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com]. Within the Users folder, right click and choose New | Group. Create a group object. For our example, Group name = unixgroup
- Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
- Select the NIS domain set setup in Step 3.
- Set GID (this will be according to your environment's configuration). For our example, 10000
5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com]. Within the Users folder, right click and choose New | User. Create a user object. For our example, User logon name = unixuser.
- Uncheck User must change password at next logon and Account is disabled.
- Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
- Select the NIS domain as setup in Step 3.
- Set UID (this will be according to your environment's configuration). For our example, 10000
- Set Login Shell (this will be according to your environment's configuration). For our example, /bin/bash
- Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
- Set Primary Group Name/GID to unixgroup
1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] expand the domain that will contain the SLES 11 SP3 server & users - ad.domain.com. If the domain doesn't exist yet, create a new domain.
2. Within the Computers folder, right click and choose New | Computer. Create a computer object that will correspond to the SLES 11 SP3 server. For our example, Computer name = client. It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
3. For Windows 2008R2 only (not DSfW), click Active Directory Domain Services under Roles in Server Manager. Scroll the right hand window down to Role Services. Choose Add Role Service and select - Identity Management for UNIX. Use the domain created / used in step 1 as the NIS Domain Name. For our example, NIS Domain name = ad-domain.com.
4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com]. Within the Users folder, right click and choose New | Group. Create a group object. For our example, Group name = unixgroup
- Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
- Select the NIS domain set setup in Step 3.
- Set GID (this will be according to your environment's configuration). For our example, 10000
5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com]. Within the Users folder, right click and choose New | User. Create a user object. For our example, User logon name = unixuser.
- Uncheck User must change password at next logon and Account is disabled.
- Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
- Select the NIS domain as setup in Step 3.
- Set UID (this will be according to your environment's configuration). For our example, 10000
- Set Login Shell (this will be according to your environment's configuration). For our example, /bin/bash
- Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
- Set Primary Group Name/GID to unixgroup
6. Export a .pem file from the AD server and copy to the SLES server.
SLES 11 SP3 server configuration:
1. Install the following packages: sssd, sssd-tools, openldap2-client, pam-modules
2. Edit the /etc/ldap.conf
base dc=ad-domain,dc=combind_policy softpam_lookup_policy yespam_password adnss_initgroups_ignoreusers root,ldapnss_schema rfc2307bisnss_map_attribute uniqueMember memberssl start_tlstls_cacertfile /root/Desktop/SSCert.pemuri ldap://192.168.0.1
ldap_version 3
pam_filter objectClass=posixAccount
tls_cacertdir /root/Desktop
3. Edit the /etc/sssd/sssd/conf
[sssd]config_file_version = 2reconnection_retries = 3services = nss,pamdomains = default[nss]filter_groups = rootfilter_users = rootreconnection_retries = 3[pam]reconnection_retries = 3[domain/default]ldap_uri = ldap://192.168.0.1ldap_search_base = dc=ad-domain,dc=comauth_provider = ldapchpass_provider = ldapldap_schema = rfc2307bisid_provider = ldapldap_user_object_class = userldap_user_name = sAMAccountNameldap_user_uid_number = uidNumberldap_user_gid_number = gidNumberldap_user_home_directory = unixHomeDirectoryldap_user_shell = loginShellldap_user_principal = userPrincipalNameldap_group_object_class = groupldap_group_gid_number = gidNumbercache_credentials = Trueldap_user_uuid = entryuuidldap_group_uuid = entryuuidldap_id_use_start_tls = Trueenumerate = Trueldap_tls_cacertdir = /etcldap_tls_cacert = /etc/SSCert.pem
4. Change the nameserver (DNS server) to resolve the domain name, usually the AD server is the DNS server for the AD zone. Another option is to add the AD server to the /etc/hosts file.
192.168.0.1 ad-domain.com adserver adserver.ad-domain.com
5. Edit the /etc/nsswitch.conf to include sss
passwd: compat sssgroup: compat sss
6. Add the pam_sss.so module to the pam.d files.
Backup the common-auth, common-account, common-session, and common-password in the /etc/pam.d/ directory.
Backup the common-auth, common-account, common-session, and common-password in the /etc/pam.d/ directory.
/etc/pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_sss.so use_first_pass
/etc/pam.d/common-account
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
/etc/pam.d/common-session
session required pam_limits.so
session required pam_unix2.so
session optional pam_sss.so
session optional pam_umask.so
/etc/pam.d/common-password
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_sss.so use_authtok
7. Verify the user can be resolved using the command id
id user1
8. Start sssd
rcsssd start