Install Required Packages

  1. RHEL6: Install the following packages.
    1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
  2. RHEL7: Install the following packages
    1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
  3. UBUNTU: Install the following packages
    1. $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules

Configure Kerberos

  1. Gather the list of KDCs for the realm, the KDCs are bold italic.
    1. # nslookup -type=SRV _kerberos._tcp.<>
      1. Output of previous command:
        Server: <ip address>
        Address: <ip address>#53

        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <>.
  2. Create a backup of the /etc/krb5.conf file.
    1. # cp -p /etc/krb5.conf{,.bak}
    2. Modify the /etc/krb5.conf file as follows, changes are bold italic.
      1. [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        default_realm = <DOMAIN.COM>
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

        <DOMAIN.COM> = {
        kdc = dc1.<DOMAIN.COM>
        kdc = dc2.<DOMAIN.COM>
        kdc = dc3.<DOMAIN.COM>
        kdc = dc4.<DOMAIN.COM>
        admin_server = <DOMAIN.COM>

        .<> = <DOMAIN.COM>
        <> = <DOMAIN.COM>

Configure Samba

  1. Create a backup of the /etc/samba/smb.conf file.
    1. # cp -p /etc/samba/smb.conf{,.bak}
  2. Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
    1. [global]
             workgroup = <DOMAIN>
      ;      server string = Samba Server Version %v
      ;      security = user
      ;      passdb backend = tdbsam
             client signing = yes
             client use spnego = yes
             kerberos method = secrets and keytab
             security = ads
             passdb backend = tdbsam
             realm = <DOMAIN.COM>
      ;      load printers = yes
      ;      cups options = raw
      ;      comment = All Printers
      ;      path = /var/spool/samba
      ;      browseable = no
      ;      guest ok = no
      ;      writable = no
      ;      printable = yes
  3. Verify the Samba configuration.
    1. # testparm
  4. The output should be similar to
    1. [global]
             workgroup = <DOMAIN>
             realm = <DOMAIN.COM>
             security = ADS
             kerberos method = secrets and keytab
             log file = /var/log/samba/log.%m
             max log size = 50
             client signing = required
             idmap config * : backend = tdb
             comment = Home Directories
             read only = No
             browseable = No

Kerberos Ticket

  1. Obtain and verify a new ticket using the new Kerberos configuration.
    1. # kinit <admin account>
      1. Enter the password.
  2. Verify the ticket
    1. ;# klist
      1. The output should be similar to:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <admin account>@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Register Server with Active Directory

  1. Join AD and obtain a keytab
    1. # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
  2. Verify the keytab
    1. # klist -k
      1. The output should be similar to:
        Keytab name: FILE:/etc/krb5.keytab
        KVNO Principal
        ---- --------------------------------------------------------------------------
           2 host/<>
           2 host/<>
           2 host/<>
           2 host/<>
           2 host/<>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
  3. Obtain a Kerberos ticket using keytab in capitals.
    1. kinit -k <server name>$
  4. Verify the new default principal, it will have changed from <admin account> to <server name>
    1. # klist
      1. The output should be similar to, note the output in bold italic:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <SERVERNAME>$@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Verify LDAP

  1. Verify that LDAP returns the sAMAccountNames
    1. # ldapsearch -o ldif-wrap=140 -H ldap://<> -Y GSSAPI -N -b DC=domain,DC=com "memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com" | grep sAMAccountName

Configure SSSD Authentication

  1. RHEL6 & RHEL7: Configure pam and nsswitch.
    1. # authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
    2. Note: this may start the oddjobd daemon.
  2. UBUNTU: The install of the packages will set this information, nothing more is needed.

Enable oddjobd service

  1. RHEL6: Enable startup on boot
    1. # chkconfig oddjobd on
  2. RHEL7: Enable startup on boot
    1. # systemctl enable oddjobd.service

SSSD configuration

  1. Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
    1. # cp -p /etc/sssd/sssd.conf{,.bak}
  2. Create the configuration file as follows:
#RHEL6: Uncomment the following lines:
#config_file_version = 2 
#debug_level = 0 
##domains = local, <>
#domains = <>
#services = nss, pam
#reconnection_retries = 3

#RHEL7: Uncomment the following lines:
#config_file_version = 2 
#debug_level = 0 
##domains = local, <>
#domains = <>
#services = nss, pam, pac
#reconnection_retries = 3

ldap_referrals = false

#RHEL6: Uncomment the following lines only if domains = local, <> will be 
#       used in the [sssd] stanza.
#enumerate = TRUE
#min_id = 500
#max_id = 999
#id_provider = local
#auth_provider = local

#RHEL7: Uncomment the following lines only if domains = local, <> will be 
#       used in the [sssd] stanza.
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local

#UBUNTU: Uncomment the following lines only if domains = local, <> will be 
#       used in the [sssd] stanza.
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local

dns_discovery_domain = <> 
id_provider = ad
auth_provider = ad
access_provider = ad
## Only uncomment the next line if logon is slow.
##ignore_group_members = true
# Allow Domain Admins
ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)

default_shell = /bin/bash
override_homedir = /home/%d/%u
# Permits offline logins:
cache_credentials = true
# Use when service discovery not working:
# ad_server = srdc3.<>
#ldap_id_mapping = true
filter_groups = root

filter_users = root

Start SSSD

  1. Change the file permissions for /etc/sssd/sssd.conf
    1. # chmod 600 /etc/sssd/sssd.conf
  2. RHEL6: Start the SSSD daemon
    1. # service sssd start
  3. RHEL7: Start the SSSD daemon
    1. # systemctl restart sssd
  4. UBUNTU: Start the SSSD daemon
    1. $ sudo start sssd
  5. RHEL6: Enable startup on boot
    1. # chkconfig sssd on
  6. RHEL7: Enable startup on boot
    1. # systemctl enable sssd

