Thursday, December 27, 2012

How to Configure SSSD

SSSD Overview 
The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.  
Offline Authentication 
  • One of the primary benefits of SSSD is offline authentication. This solves the case of users having a separate corporate account and a local machine account because of the common requirement to implement a Virtual Private Network (VPN). 
  • SSSD can cache remote identities and authentication credentials. This means that you can still authenticate with these remote identities even when a machine is offline. In an SSSD system, you only need to manage one account. 

Server Load Reduction 
  • The use of SSSD also helps to reduce the load on identification servers. For example, using nss_ldap, every client application that needs to request user information opens its own connection to the LDAP server. Managing these multiple connections can lead to a heavy load on the LDAP server. In an SSSD system, only the SSSD Data Provider process actually communicates with the LDAP server, reducing the load to one connection per client system.  
Support for Multiple Domains 
  • You can use SSSD to specify multiple domains of the same type. Compare this to an nsswitch.conf file configuration, with which you can only request user information from a single server of any particular type (LDAP, NIS, etc.). With SSSD, you can create multiple domains of the same, or of different types of identity provider. 
Installation & Configuration 
  1. Install sssd RPM. e.g. sssd-1.5.1-37.el5 
# yum install -y sssd 
  1. Upgrade authconfig to a version which includes the patch (centos 5) that includes the sssd options: 
# yum update -y authconfig RPM - 5.3.21-7.el5 
Unconfigure nscd from passwd/group caching 

  1. Go to /etc/ 
  2. Make copy then edit to match below 
    • [root@localhost etc]# cp nscd.conf nscd.conf.orig 
    • [root@localhost etc]# vi nscd.conf 
    • enable-cache            passwd          no 
    • enable-cache            group           no 
    • enable-cache            hosts           yes 
  1. /etc/sssd.conf  (complete) 
config_file_version = 2 
reconnection_retries = 3 
debug_level = 5 
sbus_timeout = 30 
services = nss, pam 
domains = MYDOMAINS 
filter_groups = root 
filter_users = root 
reconnection_retries = 3 
offline_credentials_expiration = 3 
offline_failed_login_delay = 5 
# MyLocation domain configs 
min_id = 500 
id_provider = ldap 
#auth_provider = krb5 
auth_provider = ldap 
description = LDAP domain with AD server 
cache_credentials = true 
entry_cache_timeout = 14400 
account_cache_expiration = 7 
enumerate = false 
offline_credentials_expiration = 3 
offline_failed_login_attempts = 5 
lookup_family_order = ipv4_only 
dns_resolver_timeout = 3 
# Kerberos domain configs 
krb5_realm = MYDOMAIN.COM 
krb5_server = 
krb5_kpasswd = 
krb5_ccachedir = /tmp 
krb5_lifetime = 24h 
# LDAP domain configs 
# Set uri to your site AD list of <AD hostname>:<port> 
# Set search base to match your site domain 
# Set bind DN and user/passwd to match your site 
ldap_uri = ldap://, ldap://, ldap:// 
ldap_search_base = dc=mydomain,dc=com 
ldap_search_timeout = 3 
ldap_default_bind_dn = CN=svc_linuxldap,OU=Service Accounts,DC=mydomain,DC=com 
ldap_default_authtok_type = password 
ldap_default_authtok = RfTA7H7X3oEpqudT 
ldap_pwd_policy = none 
ldap_tls_reqcert = never 
# Map attributes to AD version/schema 
ldap_schema = rfc2307bis 
ldap_user_object_class = user 
ldap_group_object_class = group 
ldap_user_name = sAMAccountName 
ldap_user_fullname = sAMAccountName 
ldap_user_gecos = displayName 
ldap_user_uid_number = uidNumber 
ldap_user_gid_number = gidNumber 
ldap_user_home_directory = unixHomeDirectory 
ldap_user_shell = loginShell 
ldap_group_member = member 
# Access Control 
access_provider = ldap 
ldap_access_filter = memberOf=CN=UX_ADMINS,OU=User Groups,DC=mydomain,DC=com 
<Domain2 domain config not shown> 
  1. /etc/nsswitch.conf  (partial) 
passwd:     files sss 
shadow:     files sss 
group:      files sss 
  1. /etc/pam.d/system-auth (complete) 
auth        required 
auth        sufficient nullok try_first_pass 
auth        requisite uid >= 500 quiet 
auth        sufficient use_first_pass 
auth        required 
account     required 
account     sufficient uid < 500 quiet 
account     [default=bad success=ok user_unknown=ignore] 
account     required 
password    requisite try_first_pass retry=3 
password    sufficient md5 shadow nullok try_first_pass use_authtok 
password    sufficient use_authtok 
password    required 
session     optional revoke 
session     required 
session     optional umask=0022 skel=/etc/skel/ 
session     [success=1 default=ignore] service in crond quiet use_uid 
session     required 

  1. Run the authconfig command to enable/disable/start all authorization elements 
# authconfig --enablesssd --enablesssdauth --disablekrb5 --enablemkhomedir --enablecache --enablepreferdns --enableshadow --enablemd5 --disablenis --disableldap --disablesmartcard --disablewins --enablemkhomedir --nostart --update 
  1. Start sssd 
# service sssd start 
Basic Functional Tests 
Basic user/group get info test 
# getent passwd tdub 
tdub:*:600742:32840:LastName, Todd:/:/bin/bash 
# getent group Group_Primary_? 
Basic authentication 
# ssh tdub@devbox 
Offline authentication test 
Perform a normal AD/LDAP login. Credentials should be cached. 
From this fully functional state, block the port, outbound to all AD/LDAP servers: 
# iptables -I OUTPUT -o eth0 -d -p tcp --dport 3268 -j DROP 
# iptables -I OUTPUT -o eth0 -d -p tcp --dport 3268 -j DROP 
# iptables -I OUTPUT -o eth0 -d -p tcp --dport 3268 -j DROP 
Perform login attempt: 
# ssh tdub@devbox-hpc01 
… after a few seconds, there should be a successful login, with a prepended prompt message similar to: 
Authenticated with cached credentials, your cached password will expire at: Fri Oct 28 15:53:59 2011. 
LDAP authentication server fail-over 
Block access out to all but one LDAP server and verify a successful, online authentication: 
(From the offline firewall scenario above, with all AD/LDAP servers blocked, enable a single server) 
# iptables -D OUTPUT -o eth0 -d -p tcp --dport 3268 -j DROP 
You should be able to login with a live, LDAP authentication exchange. 
Miscellaneous Info 
Data Cache Flush 
Cache location - You can delete the cache to force a lookup. 
The sssd cache files are stored as .db files in: 
# ls /var/lib/sss/db/ 
cache_USHW.ldb  cache_MYDOMAIN.ldb  config.ldb  sssd.ldb