Home > Others > Simple Steps to Start with SSSD Configuration.

Simple Steps to Start with SSSD Configuration.

September 13, 2015 Leave a comment Go to comments

RHEL with AD using SSSD.

My previous post assumed many setup constraints which might not be true.
Here are some simple steps to start off with SSSD configuration. We will still assume we have 2 Domains to authenticate from ABCDOMAIN and XYZDOMAIN.

Preparation for SSSD.

Prerequisite installations.
yum install sssd sssd-client krb5-workstation samba openldap-clients open-ssl authconfig

Update /etc/resolve.conf on slave nodes.

And then we update the /etc/resolve.conf file with the direct IP of External Server 172.14.14.174, as slave node now should be able to communicate to the External Server.
; generated by /sbin/dhclient-script
nameserver 172.14.14.174 ; IP for the DNS server, this happens to be the xyzserver.
nameserver 172.14.14.141 ; IP for the DNS server, this happens to be the abcserver.
Testing if ping works.
[root@slave-server ~]# ping xyzserver.xyzdomain.com
PING xyzserver.xyzdomain.com (172.14.14.174) 56(84) bytes of data.
64 bytes from 172.14.14.174: icmp_seq=1 ttl=127 time=0.866 ms
64 bytes from 172.14.14.174: icmp_seq=2 ttl=127 time=1.09 ms
64 bytes from 172.14.14.174: icmp_seq=3 ttl=127 time=1.12 ms
64 bytes from 172.14.14.174: icmp_seq=4 ttl=127 time=0.933 ms
^C
--- xyzserver.xyzdomain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7042ms
rtt min/avg/max/mdev = 0.866/1.004/1.122/0.112 ms
[root@slave-server ~]#


[root@slave-server ~]# ping abcserver.abcdomain.com
PING abcserver.abcdomain.com (172.14.14.141) 56(84) bytes of data.
64 bytes from 172.14.14.141: icmp_seq=1 ttl=127 time=0.866 ms
64 bytes from 172.14.14.141: icmp_seq=2 ttl=127 time=1.09 ms
64 bytes from 172.14.14.141: icmp_seq=3 ttl=127 time=1.12 ms
64 bytes from 172.14.14.141: icmp_seq=4 ttl=127 time=0.933 ms
^C
--- abcserver.abcdomain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7042ms
rtt min/avg/max/mdev = 0.866/1.004/1.122/0.112 ms
[root@slave-server ~]#

Create a bind user on both domains ABCDOMAIN and XYZDOMAIN.

Open the Active directory and create a user called xyzdomainuser user in XYZDOMAIN, and abcdomainuser in ABCDOMAIN.
We will using these users to join DOMAIN using the ldap_default_bind_dn, will get to this later on.

Setting krb5 configuration.

Setting up the krb setting to communicate with AD using Kerberos.
[libdefaults]
default_realm = XYZDOMAIN.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
XYZDOMAIN.COM = {
kdc = xyzserver.xyzdomain.com
admin_server = xyzserver.xyzdomain.com
}

ABCDOMAIN.COM = {
kdc = abcserver.abcdomain.com
admin_server = abcserver.abcdomain.com
}

[domain_realm]
abcdomain.com = ABCDOMAIN.COM
.abcdomain.com = .ABCDOMAIN.COM
xyzdomain.com = XYZDOMAIN.COM
.xyzdomain.com = .XYZDOMAIN.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

Testing krb5 setup.

Once we have the configuration we will use kinit to test (Test both users).
[root@slave-server ~]# kinit xyzdomainuser@XYZDOMAIN.COM
Password for xyzdomainuser@XYZDOMAIN.COM:
[root@slave-server ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xyzdomainuser@XYZDOMAIN.COM

Valid starting     Expires            Service principal
09/12/15 08:37:56  09/12/15 18:38:03  krbtgt/XYZDOMAIN.COM@XYZDOMAIN.COM
        renew until 09/19/15 08:37:56
[root@slave-server ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xyzdomainuser@XYZDOMAIN.COM

Valid starting     Expires            Service principal
09/12/15 08:37:56  09/12/15 18:38:03  krbtgt/XYZDOMAIN.COM@XYZDOMAIN.COM
        renew until 09/19/15 08:37:56, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
Now we are able to connect to ldap and get the tgt as well. so we are ready for the next steps.

Testing ldapsearch from the Linux server.

This step is to make sure that our active directory is accessible. And we are able to search users and groups from Linux nodes. Goto linux machine and execute the below command.
 ldapsearch -v -x -H ldap://xyzserver.xyzdomain.com/ -D "cn=xyzdomainuser,cn=Users,dc=xyzdomain,dc=com" -W -b "cn=xyzuser2,ou=cmlab,dc=xyzdomain,dc=com"
ldapsearch -v -x -H ldap://abcserver.xyzdomain.com/ -D "cn=abcdomainuser,cn=Users,dc=abcdomain,dc=com" -W -b "cn=xyzuser2,ou=cmlab,dc=abcdomain,dc=com"
Here are some more details about the options above.
More details here : http://ift.tt/1Q9oHCk
-v      Run in verbose mode, with many diagnostics written to standard output.
-x      Use simple authentication instead of SASL.
-H ldapuri
        Specify URI(s) referring to the ldap server(s).
-D binddn
        Use the Distinguished Name binddn to bind to the LDAP directory.
-W      Prompt for simple authentication.  This is used instead of specifying the password on the command line.
-b searchbase
        Use searchbase as the starting point for the search  instead  of the default.
Above we are trying to search for information about xyzuser2 using the user xyzdomainuser. When you execute the command above we need to enter the password for xyzdomainuser. Assuming xyzuser2 user is present in the DOMAIN.

Creating SSSD Configuration.

Finally we are ready to configure SSSD. Below are the SSSD configuration to connect to xyzdomain.com.
If we want to connect to multiple AD servers, then we need to add multiple [domain/abcdomain.com] in the configuration.
[sssd]
config_file_version = 2
debug_level = 0
domains = xyzdomain.com, abcdomain.com
services = nss, pam

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1

[pam]
reconnection_retries = 3

[domain/xyzdomain.com]
debug_level = 8
id_provider = ldap
auth_provider = ldap
chpass_provider = krb5
access_provider = simple
cache_credentials = false
min_id = 1000
ad_server = xyzserver.xyzdomain.com
ldap_uri = ldap://xyzserver.xyzdomain.com:389
ldap_schema = ad
krb5_realm = XYZDOMAIN.COM
ldap_id_mapping = true
cache_credentials = false
entry_cache_timeout = 3
ldap_referrals = false
ldap_default_bind_dn = CN=xyzdomainuser,CN=Users,DC=xyzdomain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = Welcome@123
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory

###################################################
# Update below with another AD server as required #
###################################################

[domain/abcdomain.com]
debug_level = 8
id_provider = ldap
auth_provider = ldap
chpass_provider = krb5
access_provider = simple
cache_credentials = false
min_id = 1000
ad_server = abcserver.abcdomain.com
ldap_uri = ldap://abcserver.abcdomain.com/:389
ldap_schema = ad
krb5_realm = ABCDOMAIN.COM
ldap_id_mapping = true
cache_credentials = false
entry_cache_timeout = 3
ldap_referrals = false
ldap_default_bind_dn = CN=abcdomainuser,CN=Users,DC=abcdomain,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = Welcome@123
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory
Install oddjob-mkhomedir to auto create the directory whenever a user logs in.
yum install oddjob-mkhomedir    
Enable sssd, localauth and update the configuration.
authconfig --enablesssd --enablesssdauth --enablelocauthorize --update    
NOTE : Check the sssd.conf again, sometimes authconfig will insert the default domain.
You can remove it and make the sssd.conf file similar to what we have above.
Start sssd services.
service sssd start
service oddjobd start
Testing our setup.
Checking our user, who is present in the Active Directory XYZDOMAIN.
[root@slave-server ~]# id xyzdomainuser
uid=62601149(xyzdomainuser) gid=62600513(Domain Users) groups=62600513(Domain Users),62601134(supergroup),62601133(hdfs)
[root@slave-server ~]# su xyzdomainuser
[xyzdomainuser@slave-server root]$ cd ~
[xyzdomainuser@slave-server ~]$ pwd
/home/xyzdomainuser
Next we try to login from remote.
[xyzdomainuser@slave-server ~]$ exit
exit
[root@slave-server ~]# ssh xyzdomainuser@slave-server
xyzdomainuser@slave-server's password:
Last login: Sat Sep 12 07:46:15 2015 from slave-server.xyzdomain.com
[xyzdomainuser@slave-server ~]$ pwd
/home/xyzdomainuser
[xyzdomainuser@slave-server ~]$ id
uid=62601149(xyzdomainuser) gid=62600513(Domain Users) groups=62600513(Domain Users),62601133(hdfs),62601134(supergroup)
[xyzdomainuser@slave-server ~]$
We are able to and the /home/xyzdomainuser is autocreated when the user logged-in.
Now checking users for ABCDOMAIN.
[root@slave-server ~]# id abcdomainuser
uid=1916401111(abcdomainuser) gid=1916400513 groups=1916400513,1916401114(supergroup-test),1916401113(hadoop-test),1916401112,1916401112
[root@slave-server ~]# id abcdomainuser
uid=1916401111(abcdomainuser) gid=1916400513 groups=1916400513,1916401114(supergroup-test),1916401113(hadoop-test),1916401112,1916401112
[root@slave-server ~]# su abcdomainuser
sh-4.1$ pwd
/root
sh-4.1$ cd ~
sh-4.1$ pwd
/home/abcdomainuser
sh-4.1$ id
uid=1916401111(abcdomainuser) gid=1916400513 groups=1916400513,1916401112,1916401113(hadoop-test),1916401114(supergroup-test)
sh-4.1$ exit
exit
We are done.

from Blogger http://ift.tt/1NpMn6g
via IFTTT

Advertisements
Categories: Others Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: