Active Directory, Integration with Linux

Provides an overview of how Linux-based systems can integrate with Active Directory using SSSD
The base Active Directory schema has support for POSIX attributes and are auto-provisioned as follows:
uidNumber - auto-generated unique number (minimum value 100000) assigned to each system user upon netid creation
gidNumber - Value set to be the same as uidNumber for users.
unixHomeDirectory - This value is set to /home/<netid>
loginShell - This value is set by default to /bin/sh and can be modified by visiting https://my.techservices.illinois.edu/adtools/shell.asp.

In addition, a local custom attribute has been added to support the publishing of SSH public keys:
uiucEduSSHPublicKey - Value can be optionally uploaded with an SSH public key by visiting https://my.techservices.illinois.edu/adtools/ssh-key.asp.

Technology Services coordinated with College of Engineering IT to develop some standards and infrastructure for supporting Linux integration using the System and Security Services Daemon (SSSD). They have provided some sample configs as examples of what you will need to do to configure SSSD on your system.

RHEL Sample Config

krb5.conf

----------------------------------------
krb5.conf
----------------------------------------
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
  
[libdefaults]
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
  
# encryption types have been removed due to security issues
    default_realm = AD.UILLINOIS.EDU
    dns_lookup_kdc = true
    udp_preference_limit = 0
    dns_lookup_realm = false
  
[realms]
    AD.UILLINOIS.EDU = {
        kdc = kerberos.illinois.edu
        admin_server = kerberos.illinois.edu
        master_kdc = kerberos.illinois.edu
        default_domain = ad.uillinois.edu
    }
       
[domain_realm]
    ad.uillinois.edu = AD.UILLINOIS.EDU
    .ad.uillinois.edu = AD.UILLINOIS.EDU
    illinois.edu = AD.UILLINOIS.EDU
    .illinois.edu = AD.UILLINOIS.EDU

sssd.conf

----------------------------------------
sssd.conf
----------------------------------------
[sssd]
debug_level = 2
config_file_version = 2
debug_level = 2
domains = ad.uillinois.edu
services = nss, pam, pac
 
[nss]
debug_level = 2
# enum_cache_timeout (integer)
#    How many seconds should nss_sss cache enumerations (requests for info about all users)
#
#    Default: 120 
#entry_cache_nowait_percentage (integer)
#    The entry cache can be set to automatically update entries in the background if they are 
#    requested beyond a percentage of the entry_cache_timeout value for the domain.
#
#    For example, if the domain's entry_cache_timeout is set to 30s and entry_cache_nowait_percentage 
#    is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be 
#    returned immediately, but the SSSD will go and update the cache on its own, so that future requests
#     will not need to block waiting for a cache update.
#
#    Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for 
#    each domain. For performance reasons, this percentage will never reduce the nowait timeout to 
#    less than 10 seconds. (0 disables this feature)
#
#    Default: 50 
#entry_negative_timeout (integer)
#    Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries 
#    for invalid database entries, like nonexistent ones) before asking the back end again.
#
#    Default: 15 
filter_users = root
override_homedir = /home/%u
# ENGRIT CHANGE -- Changed override_shell to default_shell and shell_fallback
default_shell = /bin/bash
shell_fallback = /bin/bash
 

[pam]
debug_level = 2
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
 
[domain/ad.uillinois.edu]
debug_level = 2

# Engineering groups of interest start at gidNumber 60000
min_id = 60000

# Enumerate will enumerate all the groups and is a major factor in login time
#enumerate = True
enumerate = False
 
# How long NSS caches entries before going back to AD to find them
#entry_cache_timeout = 5400 
#entry_cache_user_timeout
#entry_cache_group_timeout
#entry_cache_netgroup_timeout
# etc.
#  cache_credentials (bool)
#           Determines if user credentials are also cached in the local LDB cache
#
#           User credentials are stored in a SHA512 hash, not in plaintext
#
#           Default: FALSE
 
#account_cache_expiration
# Number of days entries are left in cache after last successful login 
# before being removed during a cleanup of the cache. 0 means keep forever. 
# The value of this parameter must be greater than or equal to 
#offline_credentials_expiration.
#Default: 0 (unlimited) 
#       ignore_group_members (bool)
#           Do not return group members for group lookups.
#
#           If set to TRUE, the group membership attribute is not requested from the ldap server, and group members
#           are not returned when processing group lookup calls, such as getgrnam(3) or getgrgid(3). As an effect,
#           âtent group $groupnameâ           Enabling this option can also make access provider checks for group membership significantly faster,
#           especially for groups containing many members.
#
#           Default: FALSE
 
#id_provider:  [ldap|ipa|ad]
# id_provider = ad requires joining the workstation to the domain
id_provider = ldap
 
#auth_provider:  [ldap|krb5|ipa|ad]
auth_provider = krb5
krb5_server = kerberos.illinois.edu
krb5_realm = AD.UILLINOIS.EDU
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
 
chpass_provider = krb5
dns_discovery_domain = .uillinois.edu
 
##### Commenting this out, it's up above and commented out defaulting to false; 
#cache_credentials = True
 
access_provider = simple
 
#simple_allow_groups = None
 
# This is if we have salt pillar data populating the simple_allow_groups
#simple_allow_groups = {{ class_group }}
 
ldap_uri = ldap://ldap.ad.uillinois.edu
ldap_schema = rfc2307bis
ldap_default_bind_dn = 
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = 
 
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_referrals = False
ldap_account_expire_policy = ad
ldap_access_order = expire
 
ldap_search_base = DC=ad,DC=uillinois,DC=edu?subtree?
 
# ldap_user_search_base = to all of AD;  You'll want to add any OU you have
#                   for external collaborators/users to your systems
ldap_user_search_base = OU=People,DC=ad,DC=uillinois,DC=edu?subtree?
 
# ENGRIT Change -- Changed from "person" to "user" because Microsoft shoves
#                  more attributes in "user" than it does "person"
#ldap_user_object_class = person
ldap_user_object_class = user
 
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = displayName
 
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_user_uuid = objectGUID
ldap_user_objectsid = objectSid
 
# ENGRIT Change -- changed to nosuchattr so the wrong UPN will not be pulled;
#                  when not found, SSSD will contruct the UPN from the
#                  kerberos domain.  Otherwise, our AD returns netid@illinois.edu
#ldap_user_principal = userPrincipalName
ldap_user_principal = nosuchattr
 
# ENGRIT Change -- Make the ldap_group_search_base equal to YOUR OU for groups
#                  plus the OU for all the gidGroups created by campus.
ldap_group_search_base = OU=???,OU=Urbana,DC=ad,DC=uillinois,DC=edu?subtree??OU=gidGroups,OU=Urbana,DC=ad,DC=uillinois,DC=edu?subtree?
 
# ENGRIT Change -- Made the object class for groups "group" instead of
#                  "posixGroup" which is the default
# Made the object class for groups "group" instead of "posixGroup" which is the default
ldap_group_object_class = group
 
# ENGRIT Comment -- "description" is a multi-valued attribute, so use a single-valued
#                   attribute like displayName, which may be changed to extensionAttribute12
ldap_group_name = displayName
 
ldap_group_gid_number = gidNumber
ldap_group_uuid = objectGUID
ldap_group_objectsid = objectSID
 
# ldap_group_nesting_level (integer)
#           If ldap_schema is set to a schema format that supports nested groups (e.g. RFC2307bis), then this option
#           controls how many levels of nesting SSSD will follow. This option has no effect on the RFC2307 schema.
#
#           Note: This option specifies the guaranteed level of nested groups to be processed for any lookup. However,
#           nested groups beyond this limit may be returned if previous lookups already resolved the deeper nesting
#           levels. Also, subsequent lookups for other groups may enlarge the result set for original lookup if
#           re-queried.
#
#           If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when
#           connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of
#           Token-Groups by setting ldap_use_tokengroups to false.
#
#           Default: 2
#
# ENGRIT Change -- Commented out ldap_group_nesting_level since enumerate is off.
# NOTE NOTE NOTE  - Default is 2.   This is working for us because schema is RFC2307bis
# ldap_group_nesting_level = 10
#
#        ldap_groups_use_matching_rule_in_chain
#           This option tells SSSD to take advantage of an Active Directory-specific feature which may speed up group
#           lookup operations on deployments with complex or deep nested groups.
#
#           In most common cases, it is best to leave this option disabled. It generally only provides a performance
#           increase on very complex nestings.
#
#           If this option is enabled, SSSD will use it if it detects that the server supports it during initial
#           connection. So "True" here essentially means "auto-detect".
#
#           Default: False
# ENGRIT Change -- with tokenGroups enabled these two options needn't be here
# ldap_groups_use_matching_rule_in_chain = True 
# ldap_initgroups_use_matching_rule_in_chain = True
#
# ENGRIT Change -- Made ldap_use_tokengroups = True because it is better long run
ldap_use_tokengroups = True
#
#         ldap_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches are allowed to run before they are cancelled and
#           cached results are returned (and offline mode is entered)
#
#           Note: this option is subject to change in future versions of the SSSD. It will likely be replaced at some
#           point by a series of timeouts for specific lookup types.
#
#           Default: 6
#
#       ldap_enumeration_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches for user and group enumerations are allowed to run
#           before they are cancelled and cached results are returned (and offline mode is entered)
#
#           Default: 60
#
#       ldap_network_timeout (integer)
#           Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in
#           case of no activity.
#
#           Default: 6
#
# The following line may be deprecated.
use_fully_qualified_names = False
#
ignore_group_members = False
 
# ENGRIT Change -- Commented out override_gid since it is not needed.
#override_gid = None 

Ubuntu Sample Config

krb5.conf

----------------------------------------
krb5.conf
----------------------------------------
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
  
[libdefaults]
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
  
# encryption types have been removed due to security issues
    default_realm = AD.UILLINOIS.EDU
    dns_lookup_kdc = true
    udp_preference_limit = 0
    dns_lookup_realm = false
  
[realms]
    AD.UILLINOIS.EDU = {
        kdc = kerberos.illinois.edu
        admin_server = kerberos.illinois.edu
        master_kdc = kerberos.illinois.edu
        default_domain = ad.uillinois.edu
    }
  
[domain_realm]
    ad.uillinois.edu = AD.UILLINOIS.EDU
    .ad.uillinois.edu = AD.UILLINOIS.EDU
    illinois.edu = AD.UILLINOIS.EDU
    .illinois.edu = AD.UILLINOIS.EDU

sssd.conf

----------------------------------------
sssd.conf
----------------------------------------
[sssd]
debug_level = 2
config_file_version = 2
[sssd]
debug_level = 2
domains = ad.uillinois.edu
services = nss, pam, pac
[nss]
debug_level = 2
# enum_cache_timeout (integer)
#    How many seconds should nss_sss cache enumerations (requests for info about all users)
#
#    Default: 120
#entry_cache_nowait_percentage (integer)
#    The entry cache can be set to automatically update entries in the background if they are
#    requested beyond a percentage of the entry_cache_timeout value for the domain.
#
#    For example, if the domain's entry_cache_timeout is set to 30s and entry_cache_nowait_percentage
#    is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be
#    returned immediately, but the SSSD will go and update the cache on its own, so that future requests
#     will not need to block waiting for a cache update.
#
#    Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for
#    each domain. For performance reasons, this percentage will never reduce the nowait timeout to
#    less than 10 seconds. (0 disables this feature)
#
#    Default: 50
#entry_negative_timeout (integer)
#    Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries
#    for invalid database entries, like nonexistent ones) before asking the back end again.
#
#    Default: 15
filter_users = root
fallback_homedir = /home/%u
default_shell = /bin/bash
shell_fallback = /bin/bash
[pam]
debug_level = 9
[domain/ad.uillinois.edu]
debug_level = 9
# Engineering groups of interest start at gidNumber 60000
min_id = 60000
# Enumerate will enumerate all the groups and is a major factor in login time
#enumerate = True
enumerate = False
# How long NSS caches entries before going back to AD to find them
#entry_cache_timeout = 5400
#entry_cache_user_timeout
#entry_cache_group_timeout
#entry_cache_netgroup_timeout
# etc.
#  cache_credentials (bool)
#           Determines if user credentials are also cached in the local LDB cache
#
#           User credentials are stored in a SHA512 hash, not in plaintext
#
#           Default: FALSE
 
#account_cache_expiration
# Number of days entries are left in cache after last successful login
# before being removed during a cleanup of the cache. 0 means keep forever.
# The value of this parameter must be greater than or equal to
#offline_credentials_expiration.
#Default: 0 (unlimited)
#       ignore_group_members (bool)
#           Do not return group members for group lookups.
#
#           If set to TRUE, the group membership attribute is not requested from the ldap server, and group members
#           are not returned when processing group lookup calls, such as getgrnam(3) or getgrgid(3). As an effect,
#           âtent group $groupnameâ           Enabling this option can also make access provider checks for group membership significantly faster,
#           especially for groups containing many members.
#
#           Default: FALSE
#id_provider:  [ldap|ipa|ad]
# id_provider = ad requires joining the workstation to the domain
id_provider = ldap
#auth_provider:  [ldap|krb5|ipa|ad]
auth_provider = krb5
krb5_server = kerberos.illinois.edu
krb5_realm = AD.UILLINOIS.EDU
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_canonicalize = False
  
#access_provider:  [permit|deny|ldap|ipa|ad|simple]
# "simple" access control based on access or deny lists.
# See sssd-simple(5) for more information on configuring the simple access module.
access_provider = simple
# NOTE:   Update the simple_allow_group to the group(s) you want to grant access
simple_allow_group = GROUP_NAME
chpass_provider = krb5
 
#    override_gid (integer)
#    Override the primary GID value with the one specified.
 
ldap_uri = ldap://ldap.ad.uillinois.edu
#ldap_backup_uri = ldap://ad.uillinois.edu
ldap_search_base = DC=ad,DC=uillinois,DC=edu?subtree?
# Changed from rfc2307bis to AD, even though it should make no difference -fep   2016-0-7-14
ldap_schema = AD
# You need to substitute with your own AD Service account
ldap_default_bind_dn = 
ldap_default_authtok_type = obfuscated_password
# You will need to have your corresponding password obfuscated for your service account here
ldap_default_authtok = A....................M
# Changed from "person" to "user" because Microsoft shoves more attributes in "user" than it does "person"
ldap_user_object_class = user
ldap_user_name = cn
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = displayName
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_user_uuid = objectGUID
ldap_user_objectsid = objectSid
ldap_user_principal = userPrincipalName
# Made the object class for groups "group" instead of "posixGroup" which is the default
ldap_group_object_class = group
# Makde the ldap_group_name displayName instead of cn, so we can rip the enx- prefix off the name
ldap_group_name = extensionAttribute12
ldap_group_gid_number = gidNumber
ldap_group_uuid = objectGUID
ldap_group_objectsid = objectSID
 
# ldap_group_nesting_level (integer)
#           If ldap_schema is set to a schema format that supports nested groups (e.g. RFC2307bis), then this option
#           controls how many levels of nesting SSSD will follow. This option has no effect on the RFC2307 schema.
#
#           Note: This option specifies the guaranteed level of nested groups to be processed for any lookup. However,
#           nested groups beyond this limit may be returned if previous lookups already resolved the deeper nesting
#           levels. Also, subsequent lookups for other groups may enlarge the result set for original lookup if
#           re-queried.
#
#           If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when
#           connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of
#           Token-Groups by setting ldap_use_tokengroups to false.
#
#           Default: 2
#
# ldap_group_nesting_level = 10
#        ldap_groups_use_matching_rule_in_chain
#           This option tells SSSD to take advantage of an Active Directory-specific feature which may speed up group
#           lookup operations on deployments with complex or deep nested groups.
#
#           In most common cases, it is best to leave this option disabled. It generally only provides a performance
#           increase on very complex nestings.
#
#           If this option is enabled, SSSD will use it if it detects that the server supports it during initial
#           connection. So "True" here essentially means "auto-detect".
#
#           Default: False
#ldap_groups_use_matching_rule_in_chain = True
#
# ldap_initgroups_use_matching_rule_in_chain = True
ldap_use_tokengroups = True
#         ldap_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches are allowed to run before they are cancelled and
#           cached results are returned (and offline mode is entered)
#
#           Note: this option is subject to change in future versions of the SSSD. It will likely be replaced at some
#           point by a series of timeouts for specific lookup types.
#
#           Default: 6
#
#       ldap_enumeration_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches for user and group enumerations are allowed to run
#           before they are cancelled and cached results are returned (and offline mode is entered)
#
#           Default: 60
#
#       ldap_network_timeout (integer)
#           Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in
#           case of no activity.
#
#           Default: 6

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_id_use_start_tls = Tru
ldap_referrals = False
ldap_account_expire_policy = ad
ldap_access_order = expire
ldap_group_search_base = OU=,OU=Urbana,DC=ad,DC=uillinois,DC=edu?subtree?
# NOTE:  this search base allows all campus created accounts access,  see the commented version below to add your own created accounts access as well
ldap_user_search_base = OU=People,DC=ad,DC=uillinois,DC=edu?subtree?

 
Any further questions can be directed to the AD team at adsupport@illinois.edu.


Keywords:
Active Directory AD Linux SSSD LDAP Kerberos TLS 
Doc ID:
82257
Owned by:
Identity and Access Management in University of Illinois Technology Services
Created:
2018-05-15
Updated:
2024-06-21
Sites:
University of Illinois Technology Services