Monday, September 26, 2016

Working SSSD Config for RHEL 6.8/CentOS 6.8

Now I want to note that I have not tried this from a clean install. This is my notes from when I was switching over from samba/winbind which is why you'll see some mentions of having to copy paste things a second time or having to restart extra times. They may be optional.

Leave old domain, sync time.
ntpdate -u
net ads leave -U username

There was an issue with the previous version installed, had to remove before installing anything else.
yum remove libipa_hbac -y

Step 1: Install SSSD, Authconfig, SSSD Tools, ADCLI, and KRB5 Workstation
yum install sssd authconfig sssd-tools adcli krb5-workstation -y

Step 2: Configure KRB, Samba, and SSD ****** CASE MATTERS !!!!!!!! ******
echo y | cp /etc/krb5.conf /etc/krb5.conf.bak

echo "[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

admin_server = DC01.DOMAIN.COM
kdc = X.X.X.X

[domain_realm] = DOMAIN.COM = DOMAIN.COM" > /etc/krb5.conf
echo y |cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

echo "[global]
workgroup = DOMAINN
client signing = yes
#client user spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
password server = DC01.DOMAIN.COM
realm = DOMAIN.COM
security = ADS" > /etc/samba/smb.conf

echo y | cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak

echo "[sssd]
config_file_version = 2
services = nss, pam, autofs, ssh, autofs
domains = DOMAIN.COM
#default_domain_suffix = DOMAIN.COM

filter_users = root,ldap,named

id_provider = ad
ad_server =
ad_backup_server =
ad_domain =
krb5_realm = DOMAIN.COM
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = true

reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[autofs]" > /etc/sssd/sssd.conf

Step 3 Restart the services:
service smb restart; service winbind restart; service sssd restart;

Step 3: Test to see if all the config files are working
kinit username

Type in password, if it comes back with no response it worked.
You can check this by typing

If you get an error, something is wrong in the config or your password is wrong.

Step 4: Configure PAM Modules, Join Domain
authconfig --update --enablesssd --enablesssdauth

service smb restart; service winbind restart; service sssd restart;

adcli join -U user -v

Verify everything in the nssswitch file got updated. Should be files sss.
cat /etc/nsswitch.conf

Should look like this:
passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

Step 5: Restart services, Print out AD Users, Print out AD Groups, Check ID for test User
service smb restart; service winbind restart; service sssd restart;
getent passwd

getent group

id username

Step 6: Test login
ssh username@

****IF getent doesn't show anything but ID works, restart the services again, check again *****
service smb restart; service winbind restart; service sssd restart;

If you want to limit login based on groups, check out /etc/security/access.conf
echo "+ : group1 "group 2" jsmith root : ALL
- : ALL : ALL" >> /etc/security/access.conf

Sudo based on groups
echo "%admin ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers