FacebookTwitterFlickrYoutuberss

SSSD

From Zentyal Linux Small Business Server
Revision as of 21:15, 10 March 2014 by UdoB (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

System Security Services Daemon (SSSD)

This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.

Client setup

  1. Install heimdal-clients
  2. Install sssd
  3. Write /etc/sssd/sssd.conf
  4. chmod 600 /etc/sssd/sssd.conf

Configure kerberos client

Edit /etc/krb5.conf

[libdefaults]
    default_realm = <% kerberos realm %>
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    preferred_enctypes   = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

Test (with kerberos realm = ZENTEST.LAN and user u1):

$ kinit u1 && klist
u1@ZENTEST.LAN's Password: 
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: u1@ZENTEST.LAN

  Issued                Expires               Principal
Mar 10 21:53:30 2014  Mar 11 07:53:26 2014  krbtgt/ZENTEST.LAN@ZENTEST.LAN

Template lightdm.conf

[SeatDefaults]
autologin-guest=false
autologin-user-timeout=0
autologin-session=lightdm-autologin
user-session=ubuntu
greeter-session=unity-greeter
greeter-show-manual-login=true

Template sssd.conf

Pay special attention and replace entries referring to 'mydomain.lan' with your domain name. Replace 'zentyalhost' with the actual hostname of the Zentyal server.

Replace the _ldap_default_authtok_ config key with the administrator password of your LDAP server (this can be found in /var/lib/zentyal/conf/ldap.passwd).


[sssd]
config_file_version = 2
services = nss, pam
domains = MYDOMAIN.LAN
sbus_timeout = 30
 
[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
 
[pam]
reconnection_retries = 3
offline_credentials_expiration = 0

[domain/MYDOMAIN.LAN]
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_uri = ldap://zentyalhost.mydomain.lan:390
ldap_search_base = dc=mydomain,dc=lan
cache_credentials = true
enumerate = true
krb5_server = zentyalhost.mydomain.lan:8880
krb5_realm= KERNEVIL.LAN
ldap_default_authtok_type = password
# in the following line "zentyalro" (= the read-only account) might be sufficient.
# if "zentyal" is required then every client has root access power to the server...
ldap_default_bind_dn = cn=zentyal,dc=mydomain,dc=lan
ldap_default_authtok = FfY/v5@XlUKGMDrEGzzJ

Restart sssd:

# service sssd restart 

Verify if it is actually running:

# ps x | grep [s]ss
574 ?        Ss     0:00 sssd -D -f
576 ?        S      0:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain ZENTEST.LAN --debug-to-files
577 ?        S      0:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --debug-to-files
578 ?        S      0:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --debug-to-files

Test for a domainuser "u1":

$ id u1
uid=3000040(u1) gid=1901(__USERS__) groups=1901(__USERS__),3000043(testgroup),3000009(Users)

Mount $HOME with pam_mount

# apt-get install libpam-mount
# apt-get install cifs-utils  # brings us the required mount.cifs

Edit /etc/security/pam_mount.conf.xml<code> and add one line for a "Volume definition", replace 192.0.2.1 with your server's IP address:

<volume user="*" fstype="cifs" server="192.0.2.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

Test:

$ ssh u1@client pwd
u1@client's password: 
/home/u1


Template:TracNotice

Personal tools
Namespaces

Variants
Actions

Zentyal Wiki

Zentyal Doc
Navigation
Toolbox