Categories
Linux

sssd and Samba Active Directory

Ever wondered how to join an Linux PC to your Active Directory (or even better to your Samba relative)? That’s exactly what this article is about.

But first of all some words about what components we need to involve:

  • nss: responsible for resolving users and groups
  • pam: supporting the login and authentication process
  • sssd itself: connecting the first two components to Active Directory/Samba

As a first step we need to install the required packages:

linux # apt install sssd-ad sssd-tools libnss-sss libpam-sss

First of all we need to configure sssd itself:

linux # vi /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = linux-ng.de
# Disable to prevent systemd startup error messages
#services = nss, pam

[pam]
debug_level = 3

[domain/linux-ng.de]
# Uncomment if you need offline logins
# cache_credentials = true

debug_level = 3

id_provider = ad
auth_provider = ad
access_provider = ad

# Uncomment if service discovery is not working
ad_server = srv2.linux-ng.de
ad_domain = linux-ng.de
dns_discovery_domain = linux-ng.de
dyndns_update = false

krb5_use_enterprise_principal = true
krb5_keytab = /etc/krb5.keytab

# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
ldap_id_mapping = False
ldap_schema = AD

# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u

# Comment out if you prefer to use shortnames.
use_fully_qualified_names = False

# Make sure to use certain site (autodetection fails for now: Samba 4.12.5 / sssd 2.2.3)
ad_site = Default-First-Site-Name

In order to connect to Active Directory/Samba we require a keytab corresponding to a user with sufficient access rights to read data from there.

Then make sure nss works nicely:

linux # cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

#passwd:         files systemd
#group:          files systemd
passwd:         files systemd sss
group:          files systemd sss
shadow:         files sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss

If everything went according to plan, you should now be able to lookup your users from Active Directory:

linux # getent passwd marcel
marcel:*:1000:1001:Marcel:/home/marcel:/bin/bash

Leave a Reply

Your email address will not be published. Required fields are marked *