Thursday, December 27, 2012

How to Configure SSSD


SSSD Overview 
 
The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.  
 
Offline Authentication 
  • One of the primary benefits of SSSD is offline authentication. This solves the case of users having a separate corporate account and a local machine account because of the common requirement to implement a Virtual Private Network (VPN). 
  • SSSD can cache remote identities and authentication credentials. This means that you can still authenticate with these remote identities even when a machine is offline. In an SSSD system, you only need to manage one account. 

Server Load Reduction 
  • The use of SSSD also helps to reduce the load on identification servers. For example, using nss_ldap, every client application that needs to request user information opens its own connection to the LDAP server. Managing these multiple connections can lead to a heavy load on the LDAP server. In an SSSD system, only the SSSD Data Provider process actually communicates with the LDAP server, reducing the load to one connection per client system.  
Support for Multiple Domains 
  • You can use SSSD to specify multiple domains of the same type. Compare this to an nsswitch.conf file configuration, with which you can only request user information from a single server of any particular type (LDAP, NIS, etc.). With SSSD, you can create multiple domains of the same, or of different types of identity provider. 
 
 
 
Installation & Configuration 
 
  1. Install sssd RPM. e.g. sssd-1.5.1-37.el5 
# yum install -y sssd 
 
  1. Upgrade authconfig to a version which includes the patch (centos 5) that includes the sssd options: 
# yum update -y authconfig RPM - 5.3.21-7.el5 
 
Configurations 
Unconfigure nscd from passwd/group caching 

  1. Go to /etc/ 
  2. Make copy then edit to match below 
    • [root@localhost etc]# cp nscd.conf nscd.conf.orig 
    • [root@localhost etc]# vi nscd.conf 
     
    • enable-cache            passwd          no 
    • enable-cache            group           no 
    • enable-cache            hosts           yes 
 
  1. /etc/sssd.conf  (complete) 
 
[sssd] 
config_file_version = 2 
reconnection_retries = 3 
debug_level = 5 
sbus_timeout = 30 
services = nss, pam 
domains = MYDOMAINS 
 
[nss] 
filter_groups = root 
filter_users = root 
reconnection_retries = 3 
 
[pam] 
offline_credentials_expiration = 3 
offline_failed_login_delay = 5 
 
[domain/MYDOMAIN] 
# MyLocation domain configs 
min_id = 500 
id_provider = ldap 
#auth_provider = krb5 
auth_provider = ldap 
description = LDAP domain with AD server 
cache_credentials = true 
entry_cache_timeout = 14400 
account_cache_expiration = 7 
enumerate = false 
offline_credentials_expiration = 3 
offline_failed_login_attempts = 5 
lookup_family_order = ipv4_only 
dns_resolver_timeout = 3 
 
# Kerberos domain configs 
krb5_realm = MYDOMAIN.COM 
krb5_server = 192.168.1.5:88 
krb5_kpasswd = 192.168.1.5:749 
krb5_ccachedir = /tmp 
krb5_lifetime = 24h 
 
# LDAP domain configs 
# Set uri to your site AD list of <AD hostname>:<port> 
# Set search base to match your site domain 
# Set bind DN and user/passwd to match your site 
ldap_uri = ldap://192.168.1.5:3268, ldap://10.10.1.10:3268, ldap://10.20.16.10:3268 
ldap_search_base = dc=mydomain,dc=com 
ldap_search_timeout = 3 
ldap_default_bind_dn = CN=svc_linuxldap,OU=Service Accounts,DC=mydomain,DC=com 
ldap_default_authtok_type = password 
ldap_default_authtok = RfTA7H7X3oEpqudT 
ldap_pwd_policy = none 
ldap_tls_reqcert = never 
 
# Map attributes to AD version/schema 
ldap_schema = rfc2307bis 
ldap_user_object_class = user 
ldap_group_object_class = group 
ldap_user_name = sAMAccountName 
ldap_user_fullname = sAMAccountName 
ldap_user_gecos = displayName 
ldap_user_uid_number = uidNumber 
ldap_user_gid_number = gidNumber 
ldap_user_home_directory = unixHomeDirectory 
ldap_user_shell = loginShell 
ldap_group_member = member 
 
# Access Control 
access_provider = ldap 
ldap_access_filter = memberOf=CN=UX_ADMINS,OU=User Groups,DC=mydomain,DC=com 
 
<Domain2 domain config not shown> 
 
  1. /etc/nsswitch.conf  (partial) 
 
passwd:     files sss 
shadow:     files sss 
group:      files sss 
 
  1. /etc/pam.d/system-auth (complete) 
 
auth        required      pam_env.so 
auth        sufficient    pam_unix.so nullok try_first_pass 
auth        requisite     pam_succeed_if.so uid >= 500 quiet 
auth        sufficient    pam_sss.so use_first_pass 
auth        required      pam_deny.so 
 
account     required      pam_unix.so 
account     sufficient    pam_succeed_if.so uid < 500 quiet 
account     [default=bad success=ok user_unknown=ignore] pam_sss.so 
account     required      pam_permit.so 
 
password    requisite     pam_cracklib.so try_first_pass retry=3 
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    sufficient    pam_sss.so use_authtok 
password    required      pam_deny.so 
 
session     optional      pam_keyinit.so revoke 
session     required      pam_limits.so 
session     optional      pam_mkhomedir.so umask=0022 skel=/etc/skel/ 
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so 

 
  1. Run the authconfig command to enable/disable/start all authorization elements 
 
# authconfig --enablesssd --enablesssdauth --disablekrb5 --enablemkhomedir --enablecache --enablepreferdns --enableshadow --enablemd5 --disablenis --disableldap --disablesmartcard --disablewins --enablemkhomedir --nostart --update 
 
  1. Start sssd 
# service sssd start 
 
Tests 
Basic Functional Tests 
 
Basic user/group get info test 
# getent passwd tdub 
tdub:*:600742:32840:LastName, Todd:/:/bin/bash 
  
# getent group Group_Primary_? 
Group_Primary_?:*:504:id  
 
Basic authentication 
# ssh tdub@devbox 
 
Offline authentication test 
 
Perform a normal AD/LDAP login. Credentials should be cached. 
From this fully functional state, block the port, outbound to all AD/LDAP servers: 
 
# iptables -I OUTPUT -o eth0 -d 10.10.1.10 -p tcp --dport 3268 -j DROP 
# iptables -I OUTPUT -o eth0 -d 10.20.16.10 -p tcp --dport 3268 -j DROP 
# iptables -I OUTPUT -o eth0 -d 192.168.1.5 -p tcp --dport 3268 -j DROP 
 
Perform login attempt: 
# ssh tdub@devbox-hpc01 
 
… after a few seconds, there should be a successful login, with a prepended prompt message similar to: 
 
Authenticated with cached credentials, your cached password will expire at: Fri Oct 28 15:53:59 2011. 
 
LDAP authentication server fail-over 
 
Block access out to all but one LDAP server and verify a successful, online authentication: 
 
(From the offline firewall scenario above, with all AD/LDAP servers blocked, enable a single server) 
# iptables -D OUTPUT -o eth0 -d 192.168.1.5 -p tcp --dport 3268 -j DROP 
 
You should be able to login with a live, LDAP authentication exchange. 
 
 
Miscellaneous Info 
 
Data Cache Flush 
Cache location - You can delete the cache to force a lookup. 
 
The sssd cache files are stored as .db files in: 
 /var/lib/sss/db/ 
 
# ls /var/lib/sss/db/ 
cache_USHW.ldb  cache_MYDOMAIN.ldb  config.ldb  sssd.ldb