services: files sss ...
netgroup: files sss
The different pam. d files add a line for the pam_sss. so module beneath every pam_uni x. so line in the /etc/pam. d /system-auth and /etc/pam. d /passwo rd -auth files.
auth sufficient pam_sss.so use_first_pass ...
account [default=bad success=ok user_unknown=ignore] pam_sss.so ...
password sufficient pam_sss.so use_authtok ...
session optional pam_mkhomedir.so session optional pam_sss.so
2.6. Addit ional Configurat ion Examples
2.6.1. Account Set t ings
With Linux users, certain system preferences are set by default for new users. These system preferences either may not be set in the Windows user accounts or may be set to something
incompatible with a Linux system. There are two such areas: the user home directory and default user shell.
2 .6 .1 .1 . Se t t ing a Use r Ho m e Dire ct o ry
Red Hat Enterprise Linux has a PAM library (pam_o d d jo b_mkho med i r. so) which automatically creates user directories when a user first logs in. This includes Active Directory users, when they first log into a Linux system.
With SSSD, the format of the user directory is retrieved from the identity provider. If the identity
provider has a home directory format that is different than the format for the Linux system or if it does not supply a value, then SSSD can be configured to set the home directory attribute value using a template specified in its configuration. The template can be set globally in the NSS service section or per domain. There are two possible parameters:
fallback_homedir, which supplies a template if the identity provider does not supply one, override_homedir, which sets a template to use regardless of what information is set in the identity provider.
Both can use variables within the template, such a %u for the login name and %d for the domain name:
[nss]
fallback_homedir = /home/%u ...
[domain/AD_EXAMPLE]
Chapt er 2 . Using Act ive Direct ory as an Ident it y Provider for SSSD
id_provider = ad auth_provider = ad ...
override_homedir = /home/%d/%u
2 .6 .1 .2 . Se t t ing a Use r She ll
By default, SSSD attempts to retrieve information about user shells from the identity provider. In both Active Directory and LDAPv3 schema, this is defined in the loginShell attribute. However, this is an optional attribute, so it may not be defined for every user. For Active Directory users, the defined login shell may not be allowed on the Linux system.
There are a number of ways to handle shells in the SSSD configuration:
Set a fallback value if no shells are supplied using shell_fallback,
Set lists of allowed or blacklisted shells using allowed_shells and vetoed_shells, Set a default value using default_shell,
Set a value to use, even if another value is given in the identity provider, using override_shell.
Note
The al l o wed _shel l s, veto ed _shel l s, and shel l _fal l back parameters can only be set as global settings, not per domain. However, these parameters do not affect local system users, only external users retrieved through SSSD identity providers. Using a general setting, such as /bi n/rbash, is good for most external users.
Default values can be set per domain while some values, such as the white and blacklists for shells, must be set globally in the NSS service configuration. For example:
[nss]
2.6.2. Enabling Dynamic DNS Updat es (Act ive Direct ory Only)
Active Directory allows its clients to refresh their DNS records automatically. Active Directory also actively maintains DNS records to make sure they are updated, including timing out (aging) and removing (scavenging) inactive records. Note that DNS scavenging is not enabled by default on the AD side.
SSSD allows the Linux system to imitate a Windows client by refreshing its DNS record, which also prevents its record from being marked inactive and removed from the DNS record. When dynamic DNS updates are enabled, then the client's DNS record is refreshed at several times:
When the identity provider comes online (always), When the Linux system reboots (always),
At a specified interval (optional configuration).
Note
This can be set to the same interval as the DHCP lease, which means that the Linux client is renewed after the lease is renewed.
DNS updates are sent to the Active Directory server using Kerberos/GSSAPI for DNS (GSS-TSIG);
this means that only secure connections need to be enabled.
The dynamic DNS configuration is set for each domain. For example:
[domain/ad.example.com] d ynd ns_upd ate_ptr = true
d ynd ns_ttl = 36 0 0
T ab le 2.1. O p t io n s f o r Dyn amic DNS Up d at es
O p t io n Descrip t io n Fo rmat
dyndns_update Sets whether to update the DNS server dynamically with the client IP address. This requires secure updates and must be set to true for any other dynamic DNS setting to be enabled. The default value is true.
Boolean
dyndns_ttl Sets a time-to-live for the client's DNS record. The default value is 3600 seconds.
Integer dyndns_refresh_interval Sets a frequency to perform an automatic DNS
update, in addition to the update when the provider comes online. The default value is 86400 seconds (24 hours).
Integer
dyndns_update_ptr Sets whether to update the PTR record when the client updates its DNS records. The default value is true.
Boolean
2.6.3. Using a Filt er wit h Access Cont rols
The Active Directory access provider is used as the source for authorization information. The following configuration parameter option is actually a combination of several other generic LDAP parameters:
Chapt er 2 . Using Act ive Direct ory as an Ident it y Provider for SSSD
access_provider = ad
This is the same as setting the following LDAP parameters:
access_provider = ldap ldap_access_order = expire
ldap_account_expire_policy = ad
There is an additional option to identify which user accounts to grant access, based on an LDAP filter. First, accounts must match the filter, and then they must pass the expiration check, which is implicit in the access_provider = ad setting. For example, the following sets that only users which belong to the administrators group and have a unixHomeDirectory attribute match the access control check:
access_provider = ad
ad_access_filter = (& (memberOf=cn=admins,ou=groups,dc=example,dc=com) (unixHomeDirectory=*))
[1] See the sssd -l d ap man p ag e.
[2] See the sssd -ad man p ag e.
[3] See the sssd -l d ap man p ag e.
[4] See the sssd -ad man p ag e.