How to configure sssd/ldap on SLES 11 to authenticate to Windows 2008R2 Active Directory or DSfW

  • 7015963
  • 08-Dec-2014
  • 02-Jun-2017

Environment

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
Open Enterprise Server 11 SP3 (OES11 SP3)
Domain Services for Windows
DSfW
Windows 2008R2

Situation

How to configure sssd with LDAP authentication (no kerberos) to Windows 2008 R2 AD or OES11SP3 Domain Services for Windows.

NOTE: It is however preferred to rather use SAMBA with SLES 11 when connecting to Active Directory.

Resolution

This document describes how to configure sssd on SLES 11 sp3 to perform name resolution and authentication using LDAP (no kerberos) to a Windows 2008 Active Directory domain or a Domain Services for Windows domain.

For the purposes of this document, the following naming is used :

domain = ad-domain.com
realm = AD-DOMAIN.COM
SLES 11 SP3 server (client) = client
SLES 11 SP3 server (client) fully qualified = client.ad-domain.com
Windows 2008R2 server (AD server) = adserver
Windows 2008R2 server (AD server) fully qualified = adserver.ad-domain.com
ipaddress of Windows 2008R2 server = 192.168.0.1
User = user1
Group = group1

Windows 2008R2/DSfW domain configuration:

1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com] expand the domain that will contain the SLES 11 SP3 server & users - ad.domain.com.  If the domain doesn't exist yet, create a new domain.

2. Within the Computers folder, right click and choose New | Computer.  Create a computer object that will correspond to the SLES 11 SP3 server.  For our example, Computer name = client.  It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
  
3. For Windows 2008R2 only (not DSfW), click Active Directory Domain Services under Roles in Server Manager.  Scroll the right hand window down to Role Services.  Choose Add Role Service and select - Identity Management for UNIX.  Use the domain created / used in step 1 as the NIS Domain Name.  For our example, NIS Domain name = ad-domain.com.

4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com]. Within the Users folder, right click and choose New | Group.  Create a group object.  For our example, Group name = unixgroup
  - Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
    - Select the NIS domain set setup in Step 3.
    - Set GID (this will be according to your environment's configuration).  For our example, 10000

5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [adserver.ad-domain.com]. Within the Users folder, right click and choose New | User.  Create a user object.  For our example, User logon name = unixuser.  
  - Uncheck User must change password at next logon and Account is disabled.
  - Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
    - Select the NIS domain as setup in Step 3.
    - Set UID (this will be according to your environment's configuration).  For our example, 10000
    - Set Login Shell (this will be according to your environment's configuration).  For our example, /bin/bash
    - Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
    - Set Primary Group Name/GID to unixgroup

6. Export a .pem file from the AD server and copy to the SLES server.


SLES 11 SP3 server configuration:

1. Install the following packages: sssd, sssd-tools, openldap2-client, pam-modules

2. Edit the /etc/ldap.conf
base    dc=ad-domain,dc=com
bind_policy     soft
pam_lookup_policy       yes
pam_password    ad
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_attribute       uniqueMember member
ssl     start_tls
tls_cacertfile  /root/Desktop/SSCert.pem
uri     ldap://192.168.0.1
ldap_version    3
pam_filter      objectClass=posixAccount
tls_cacertdir   /root/Desktop

3. Edit the /etc/sssd/sssd/conf
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss,pam
domains = default

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
ldap_uri = ldap://192.168.0.1
ldap_search_base = dc=ad-domain,dc=com
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_gid_number = gidNumber
cache_credentials = True
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = True
ldap_tls_cacertdir = /etc
ldap_tls_cacert = /etc/SSCert.pem
4. Change the nameserver (DNS server) to resolve the domain name, usually the AD server is the DNS server for the AD zone.  Another option is to add the AD server to the /etc/hosts file.
192.168.0.1 ad-domain.com adserver adserver.ad-domain.com
5. Edit the /etc/nsswitch.conf to include sss
passwd: compat sss
group: compat sss
6. Add the pam_sss.so module to the pam.d files. 
Backup the common-auth, common-account, common-session, and common-password in the /etc/pam.d/ directory.
/etc/pam.d/common-auth
auth    required    pam_env.so    
auth    sufficient    pam_unix2.so    
auth    required    pam_sss.so    use_first_pass    

/etc/pam.d/common-account
account    requisite    pam_unix2.so    
account    sufficient    pam_localuser.so 
account    required    pam_sss.so    use_first_pass

/etc/pam.d/common-session
session    required    pam_limits.so    
session    required    pam_unix2.so    
session    optional    pam_sss.so    
session    optional    pam_umask.so    

/etc/pam.d/common-password
password    requisite    pam_pwcheck.so    nullok cracklib 
password    sufficient    pam_unix2.so    use_authtok nullok 
password    required    pam_sss.so    use_authtok

7. Verify the user can be resolved using the command id
id user1
8. Start sssd
rcsssd start


Feedback service temporarily unavailable. For content questions or problems, please contact Support.