How to Configure SSSD

SSSD Overview 

  

The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.  

  

Offline Authentication 

• One of the primary benefits of SSSD is offline authentication. This solves the case of users having a separate corporate account and a local machine account because of the common requirement to implement a Virtual Private Network (VPN). 
• SSSD can cache remote identities and authentication credentials. This means that you can still authenticate with these remote identities even when a machine is offline. In an SSSD system, you only need to manage one account. 

Server Load Reduction 

• The use of SSSD also helps to reduce the load on identification servers. For example, using nss_ldap, every client application that needs to request user information opens its own connection to the LDAP server. Managing these multiple connections can lead to a heavy load on the LDAP server. In an SSSD system, only the SSSD Data Provider process actually communicates with the LDAP server, reducing the load to one connection per client system.  

Support for Multiple Domains 

• You can use SSSD to specify multiple domains of the same type. Compare this to an nsswitch.conf file configuration, with which you can only request user information from a single server of any particular type (LDAP, NIS, etc.). With SSSD, you can create multiple domains of the same, or of different types of identity provider. 

  

Pasted from <http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-SSSD_User_Guide-Introduction-SSSD_Features.html>  

  

  

Installation & Configuration 

  

1. Install sssd RPM. e.g. sssd-1.5.1-37.el5 

# yum install -y sssd 

  

2. Upgrade authconfig to a version which includes the patch (centos 5) that includes the sssd options: 

# yum update -y authconfig RPM - 5.3.21-7.el5 

  

Configurations 

Unconfigure nscd from passwd/group caching 

1. Go to /etc/ 
2. Make copy then edit to match below 
   • [root@localhost etc]# cp nscd.conf nscd.conf.orig 
   • [root@localhost etc]# vi nscd.conf 
     

   • enable-cache            passwd          no 
   • enable-cache            group           no 
   • enable-cache            hosts           yes 

  

1. /etc/sssd.conf  (complete) 

  

[sssd] 

config_file_version = 2 

reconnection_retries = 3 

debug_level = 5 

sbus_timeout = 30 

services = nss, pam 

domains = MYDOMAINS 

  

[nss] 

filter_groups = root 

filter_users = root 

reconnection_retries = 3 

  

[pam] 

offline_credentials_expiration = 3 

offline_failed_login_delay = 5 

  

[domain/MYDOMAIN] 

# MyLocation domain configs 

min_id = 500 

id_provider = ldap 

#auth_provider = krb5 

auth_provider = ldap 

description = LDAP domain with AD server 

cache_credentials = true 

entry_cache_timeout = 14400 

account_cache_expiration = 7 

enumerate = false 

offline_credentials_expiration = 3 

offline_failed_login_attempts = 5 

lookup_family_order = ipv4_only 

dns_resolver_timeout = 3 

  

# Kerberos domain configs 

krb5_realm = MYDOMAIN.COM 

krb5_server = 192.168.1.5:88 

krb5_kpasswd = 192.168.1.5:749 

krb5_ccachedir = /tmp 

krb5_lifetime = 24h 

  

# LDAP domain configs 

# Set uri to your site AD list of <AD hostname>:<port> 

# Set search base to match your site domain 

# Set bind DN and user/passwd to match your site 

ldap_uri = ldap://192.168.1.5:3268, ldap://10.10.1.10:3268, ldap://10.20.16.10:3268 

ldap_search_base = dc=mydomain,dc=com 

ldap_search_timeout = 3 

ldap_default_bind_dn = CN=svc_linuxldap,OU=Service Accounts,DC=mydomain,DC=com 

ldap_default_authtok_type = password 

ldap_default_authtok = RfTA7H7X3oEpqudT 

ldap_pwd_policy = none 

ldap_tls_reqcert = never 

  

# Map attributes to AD version/schema 

ldap_schema = rfc2307bis 

ldap_user_object_class = user 

ldap_group_object_class = group 

ldap_user_name = sAMAccountName 

ldap_user_fullname = sAMAccountName 

ldap_user_gecos = displayName 

ldap_user_uid_number = uidNumber 

ldap_user_gid_number = gidNumber 

ldap_user_home_directory = unixHomeDirectory 

ldap_user_shell = loginShell 

ldap_group_member = member 

  

# Access Control 

access_provider = ldap 

ldap_access_filter = memberOf=CN=UX_ADMINS,OU=User Groups,DC=mydomain,DC=com 

  

<Domain2 domain config not shown> 

  

2. /etc/nsswitch.conf  (partial) 

  

passwd:     files sss 

shadow:     files sss 

group:      files sss 

  

3. /etc/pam.d/system-auth (complete) 

  

auth        required      pam_env.so 

auth        sufficient    pam_unix.so nullok try_first_pass 

auth        requisite     pam_succeed_if.so uid >= 500 quiet 

auth        sufficient    pam_sss.so use_first_pass 

auth        required      pam_deny.so 

  

account     required      pam_unix.so 

account     sufficient    pam_succeed_if.so uid < 500 quiet 

account     [default=bad success=ok user_unknown=ignore] pam_sss.so 

account     required      pam_permit.so 

  

password    requisite     pam_cracklib.so try_first_pass retry=3 

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok 

password    sufficient    pam_sss.so use_authtok 

password    required      pam_deny.so 

  

session     optional      pam_keyinit.so revoke 

session     required      pam_limits.so 

session     optional      pam_mkhomedir.so umask=0022 skel=/etc/skel/ 

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 

session     required      pam_unix.so 

  

4. Run the authconfig command to enable/disable/start all authorization elements 

  

# authconfig --enablesssd --enablesssdauth --disablekrb5 --enablemkhomedir --enablecache --enablepreferdns --enableshadow --enablemd5 --disablenis --disableldap --disablesmartcard --disablewins --enablemkhomedir --nostart --update 

  

5. Start sssd 

# service sssd start 

  

Tests 

Basic Functional Tests 

  

Basic user/group get info test 

# getent passwd tdub 

tdub:*:600742:32840:LastName, Todd:/:/bin/bash 

  

# getent group Group_Primary_? 

Group_Primary_?:*:504:id  

  

Basic authentication 

# ssh tdub@devbox 

  

Offline authentication test 

  

Perform a normal AD/LDAP login. Credentials should be cached. 

From this fully functional state, block the port, outbound to all AD/LDAP servers: 

  

# iptables -I OUTPUT -o eth0 -d 10.10.1.10 -p tcp --dport 3268 -j DROP 

# iptables -I OUTPUT -o eth0 -d 10.20.16.10 -p tcp --dport 3268 -j DROP 

# iptables -I OUTPUT -o eth0 -d 192.168.1.5 -p tcp --dport 3268 -j DROP 

  

Perform login attempt: 

# ssh tdub@devbox-hpc01 

  

… after a few seconds, there should be a successful login, with a prepended prompt message similar to: 

  

Authenticated with cached credentials, your cached password will expire at: Fri Oct 28 15:53:59 2011. 

  

LDAP authentication server fail-over 

  

Block access out to all but one LDAP server and verify a successful, online authentication: 

  

(From the offline firewall scenario above, with all AD/LDAP servers blocked, enable a single server) 

# iptables -D OUTPUT -o eth0 -d 192.168.1.5 -p tcp --dport 3268 -j DROP 

  

You should be able to login with a live, LDAP authentication exchange. 

  

  

Miscellaneous Info 

  

Data Cache Flush 

Cache location - You can delete the cache to force a lookup. 

  

The sssd cache files are stored as .db files in: 

 /var/lib/sss/db/ 

  

# ls /var/lib/sss/db/ 

cache_USHW.ldb  cache_MYDOMAIN.ldb  config.ldb  sssd.ldb