SSSD
Contents |
System Security Services Daemon (SSSD)
This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.
Client setup
- Install heimdal-clients
- Install sssd
- Write /etc/sssd/sssd.conf
- chmod 600 /etc/sssd/sssd.conf
Configure kerberos client
Edit /etc/krb5.conf
[libdefaults] default_realm = <% kerberos realm %> dns_lookup_kdc = true dns_lookup_realm = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc preferred_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
Test (with kerberos realm = ZENTEST.LAN and user u1):
$ kinit u1 && klist u1@ZENTEST.LAN's Password: Credentials cache: FILE:/tmp/krb5cc_0 Principal: u1@ZENTEST.LAN Issued Expires Principal Mar 10 21:53:30 2014 Mar 11 07:53:26 2014 krbtgt/ZENTEST.LAN@ZENTEST.LAN
Template lightdm.conf
[SeatDefaults] autologin-guest=false autologin-user-timeout=0 autologin-session=lightdm-autologin user-session=ubuntu greeter-session=unity-greeter greeter-show-manual-login=true
Template sssd.conf
Pay special attention and replace entries referring to 'mydomain.lan' with your domain name. Replace 'zentyalhost' with the actual hostname of the Zentyal server.
Replace the _ldap_default_authtok_ config key with the administrator password of your LDAP server (this can be found in /var/lib/zentyal/conf/ldap.passwd).
[sssd] config_file_version = 2 services = nss, pam domains = MYDOMAIN.LAN sbus_timeout = 30 [nss] filter_users = root filter_groups = root reconnection_retries = 3 [pam] reconnection_retries = 3 offline_credentials_expiration = 0 [domain/MYDOMAIN.LAN] min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_schema = rfc2307bis ldap_uri = ldap://zentyalhost.mydomain.lan:390 ldap_search_base = dc=mydomain,dc=lan cache_credentials = true enumerate = true krb5_server = zentyalhost.mydomain.lan:8880 krb5_realm= KERNEVIL.LAN ldap_default_authtok_type = password # in the following line "zentyalro" (= the read-only account) might be sufficient. # if "zentyal" is required then every client has root access power to the server... ldap_default_bind_dn = cn=zentyal,dc=mydomain,dc=lan ldap_default_authtok = FfY/v5@XlUKGMDrEGzzJ
Restart sssd:
# service sssd restart
Verify if it is actually running:
# ps x | grep [s]ss 574 ? Ss 0:00 sssd -D -f 576 ? S 0:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain ZENTEST.LAN --debug-to-files 577 ? S 0:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --debug-to-files 578 ? S 0:00 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --debug-to-files
Test for a domainuser "u1":
$ id u1 uid=3000040(u1) gid=1901(__USERS__) groups=1901(__USERS__),3000043(testgroup),3000009(Users)
Mount $HOME with pam_mount
# apt-get install libpam-mount # apt-get install cifs-utils # brings us the required mount.cifs
Edit /etc/security/pam_mount.conf.xml<code> and add one line for a "Volume definition", replace 192.0.2.1 with your server's IP address:
<volume user="*" fstype="cifs" server="192.0.2.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
Test:
$ ssh u1@client pwd u1@client's password: /home/u1