The relatively new (in Debian) sss subsystem can be used for authentication and caching below nsswitch. This section assumes you've already configured Kerberos, as done in .
Install sssd
apprentice@clnt-3-53:~$ sudo apt-get install -y sssd
Configure sssd
From examples at a fedorahosted sssd FAQ entry on AD and the fedoraproject sssd manual, I came up with this /etc/sssd/sssd.conf
(be sure to chmod it to 600!):
[sssd] config_file_version = 2 domains = wspace.mydomain.com services = nss, pam [nss] [pam] [domain/wspace.mydomain.com] description = LDAP domain with AD server debug_level = 9 cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap # Uncomment if service discovery is not working ldap_uri = ldap://wspace.mydomain.com/ # Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists #ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available #ldap_sasl_authid = CLIENT$@REALM # Define these only if anonymous binds are not allowed and no keytab is available ldap_default_bind_dn = CN=ListAccount,OU=Maintenance accounts,OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com ldap_default_authtok_type = password ldap_default_authtok = ENUMpass ldap_schema = rfc2307bis ldap_search_base = dc=wspace,dc=mydomain,dc=com # It looks like the ?sub?search notation is also accepted: http://sgallagh.wordpress.com/2011/12/22/sssd-tips-and-tricks-vol-2-ldap/ #ldap_user_search_base = ou=users,ou=mydomain,dc=wspace,dc=mydomain,dc=com?sub?uid=* ldap_user_search_base = ou=users,ou=mydomain,dc=wspace,dc=mydomain,dc=com ldap_user_object_class = person ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = ou=workgroups,ou=mydomain,dc=wspace,dc=mydomain,dc=com ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_pwd_policy = none #krb5_server = wspace.mydomain.com krb5_realm = WSPACE.MYDOMAIN.NL #Don't forget the tailing newline, or sssd will not start!
Note | |
---|---|
Since by this point we already got Kerberos working, we could also use GSSAPI authentication: # Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available ldap_sasl_authid = ENUMuser@TSPACE.MYDOMAIN.NL
|
Configure libnss
Edit /etc/nsswitch.conf
:
passwd: compat sss group: compat sss shadow: compat sss hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss
Trying it out
apprentice@clnt-3-53:~$ sudo /etc/init.d/sssd restart
<snip>sssd start/running, process 3732
apprentice@clnt-3-53:~$ getent passwd U1234567
U1234567:*:41234567:41234567:A. Prentice:/home/U1234567:/bin/sh
Prevent non-existent homedirs
Edit /etc/pam.d/common-session
:
<snip> # end of pam-auth-update config session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Logging in
apprentice@remotehost:~$ ssh U1234567@192.168.3.53
U1234567@192.168.3.53's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64)
<snip>
$ id
uid=41234567(U1234567) gid=41234567 groups=41234567
It works! And it's caching, too.
1. | When I enable sssd-based UID lookup, passwd suddenly fails for local users. |
This might be due to a bug.
You can add auth [success=2 default=ignore] pam_sss.so forward_pass
You should also make
|