Monday, September 26, 2016

Working SSSD Config for RHEL 6.8/CentOS 6.8

Now I want to note that I have not tried this from a clean install. This is my notes from when I was switching over from samba/winbind which is why you'll see some mentions of having to copy paste things a second time or having to restart extra times. They may be optional.

Optional:
Leave old domain, sync time.
ntpdate -u dc01.domain.com
net ads leave domain.com -U username

Optional:
There was an issue with the previous version installed, had to remove before installing anything else.
yum remove libipa_hbac -y


Step 1: Install SSSD, Authconfig, SSSD Tools, ADCLI, and KRB5 Workstation
yum install sssd authconfig sssd-tools adcli krb5-workstation -y

Step 2: Configure KRB, Samba, and SSD ****** CASE MATTERS !!!!!!!! ******
echo y | cp /etc/krb5.conf /etc/krb5.conf.bak

echo "[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
DOMAIN.COM = {
kdc = DC01.DOMAIN.COM
admin_server = DC01.DOMAIN.COM
kdc = X.X.X.X
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM" > /etc/krb5.conf
 
echo y |cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

echo "[global]
workgroup = DOMAINN
client signing = yes
#client user spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
password server = DC01.DOMAIN.COM
realm = DOMAIN.COM
security = ADS" > /etc/samba/smb.conf

echo y | cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak

echo "[sssd]
config_file_version = 2
services = nss, pam, autofs, ssh, autofs
domains = DOMAIN.COM
#default_domain_suffix = DOMAIN.COM

[nss]
filter_users = root,ldap,named

[domain/DOMAIN.COM]
id_provider = ad
ad_server = dc01.domain.com
ad_backup_server = dc02.domain.com
ad_domain = domain.com
krb5_realm = DOMAIN.COM
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = true

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5


[autofs]" > /etc/sssd/sssd.conf

Step 3 Restart the services:
service smb restart; service winbind restart; service sssd restart;

Step 3: Test to see if all the config files are working
kinit username

Type in password, if it comes back with no response it worked.
You can check this by typing
klist

If you get an error, something is wrong in the config or your password is wrong.

Step 4: Configure PAM Modules, Join Domain
authconfig --update --enablesssd --enablesssdauth

service smb restart; service winbind restart; service sssd restart;

adcli join domain.com -U user -v

Verify everything in the nssswitch file got updated. Should be files sss.
cat /etc/nsswitch.conf

Should look like this:
passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

Step 5: Restart services, Print out AD Users, Print out AD Groups, Check ID for test User
service smb restart; service winbind restart; service sssd restart;
getent passwd

getent group

id username

Step 6: Test login
ssh username@127.0.0.1

****IF getent doesn't show anything but ID works, restart the services again, check again *****
service smb restart; service winbind restart; service sssd restart;


If you want to limit login based on groups, check out /etc/security/access.conf
echo "+ : group1 "group 2" jsmith root : ALL
- : ALL : ALL" >> /etc/security/access.conf

Sudo based on groups
echo "%admin ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers 

ShareThis