Authenticate RHEL manually to Active Directory with SSSD using AD backend

Environment

• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 7

Issue

• How do I authenticate RHEL to Active Directory using SSSD with the AD backend?
• How do I configure single sign-on using Active Directory credentials in RHEL?
• How do I create a keytab for SSSD to authenticate to Active Directory?

Resolution

1. Install the required packages:

   # rpm -q systemd && yum install chrony sssd samba-common-tools krb5-workstation || yum install ntp sssd samba-common krb5-workstation
   

   (Note that the traditional ntpd provided by the ntp package is available in both RHEL 6 and RHEL 7; however, in RHEL 7, chronyd provided by the chrony package is recommended. See the RHEL 7 System Administrator's Guide, Configuring NTP Using the chrony Suite for discussion on the differences.)

2. Configure /etc/krb5.conf to resemble the following:

       includedir /var/lib/sss/pubconf/krb5.include.d/
   
       [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
   
       [libdefaults]
        default_realm = 2008R2.EXAMPLE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
   
       [realms]
        2008R2.EXAMPLE.COM = {
        }
   
       [domain_realm]
        .2008r2.example.com = 2008R2.EXAMPLE.COM
        2008r2.example.com = 2008R2.EXAMPLE.COM
   

3. Configure NTP to sync with AD:

   • RHEL 6 with ntpd:

     # echo server server1.2008r2.example.com iburst >>/etc/ntp.conf
     # chkconfig ntpd on
     # service ntpd stop
     # ntpd -qg
     # service ntpd start
     

   • RHEL 7 with chronyd:

     # echo server server1.2008r2.example.com iburst >>/etc/chrony.conf
     # systemctl enable chronyd
     # systemctl restart chronyd
     

4. Configure /etc/samba/smb.conf to resemble the following:

   [global]
      workgroup = 2008R2
      client signing = yes
      client use spnego = yes
      kerberos method = secrets and keytab
      log file = /var/log/samba/%m.log
      realm = 2008R2.EXAMPLE.COM
      security = ads
   

   (Note that workgroup needs to be a VALID netbios workgroup name)

5. Open a Kerberos ticket as an AD Administrator:

   # kinit Administrator
   

   (Note that this user must be an AD Administrator)

6. Join the RHEL machine to Active Directory and generate a Keytab:

       # net ads join -k -S <AD Server Hostname>
   
       Example
   
       # net ads join -k -S ad1.example.com
   

7. Run the following to enable SSSD within /etc/nsswitch.conf and PAM:

   # authconfig --savebackup
   # authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
   

8. Create /etc/sssd/sssd.conf and set the correct permissions:

   # echo >/etc/sssd/sssd.conf
   # chmod 600 /etc/sssd/sssd.conf
   

9. Configure /etc/sssd/sssd.conf to resemble the following:

       [domain/2008r2.example.com]
       id_provider = ad
       access_provider = ad
       default_shell=/bin/bash
       fallback_homedir=/home/%u
       debug_level = 0
   
       [sssd]
       services = nss, pam
       config_file_version = 2
       domains = 2008r2.example.com
   
       [nss]
       
       [pam]
   

10. Restart SSSD:

    # rpm -q systemd && systemctl restart sssd || service sssd restart
    

11. Test authentication using an Active Directory user:

    $ ssh ad-user@localhost
    

Diagnostic Steps

• SSSD's id mapping is identical to Winbind's autorid for which it uses the same algorithm to generate locally-cached UIDs and GIDs based off of an LDAP Object's SID attribute, so that all machines using SSSD with id mapping are consistent in UID and GID identifiers.

• In case your Active Directory environment contains POSIX attributes instead of only usernames and SIDs, you can use the following additional configurations within the [domain] section of /etc/sssd/sssd.conf to disable id_mapping:

ldap_id_mapping = false

• You can also override Shell and Home Directory attribute information by changing fallback_homedir and default_shell to override_homedir and override_shell. The 'fallback' and 'default' options will only be used if this information is not returned from AD. However, the 'override' options will override whatever AD returns, regardless.

• Also note, that anytime you make significant changes such as this to SSSD or are not sure if local SSSD cache should be regenerated, always run the following afterwards:

  # service sssd stop ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; service sssd start

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.