InternalsDocs – SSSD. SSSD Internals (October, 2013)Author: Yassir Elley The purpose of this document is to give a basic description of the internals of the SSSD implementation.
The material in this document is accurate as of SSSD 1.10. It is assumed that the reader is already familiar with the external usage of SSSD. The intended audience of this document are new contributors to the SSSD project. This document is not intended to be comprehensive. In order to better understand the material and make things more concrete, this document starts by describing a specific use case (and configuration) that will be discussed throughout the document.
From an SSSD perspective, there are two main Active Directory (AD) use cases, depending on whether we are directly integrated with AD, or whether we are indirectly integrated with AD through IPA. SSSD consumes DNS, LDAP, and Kerberos services in order to resolve server names, perform identity lookups, and perform security-related tasks. Integrating RHEL with Active Directory - Just Another Linux Blog. I had a request on Reddit to share a document I wrote about connect Red Hat Enterprise Linux with Active Directory.
The original document I wrote is confidential, but I said I would write it up. This works for both Server 2008(R2) and 2012. If I recall correctly it will also work with 2003, but may need to minor terminology changes on the Windows side. From the Linux side, it should be fine with RHEL 6 and similar (CentOS and Scientific Linux). It should also apply to Fedora, but your mileage may vary. So without further ado, let’s dive in. Integration with AD requires the installation of a few services in Red Hat, along with some minor modifications on the Windows Domain Controllers. Configuring sssd to authenticate with a Windows 2008 Domain Server – SSSD. Synopsis ¶ This describes how to configure SSSD to authenticate with a Windows 2008 Domain Server.
This guide is a work in progress. Windows 2008 Server Setup ¶ The domain to be configured is ad.example.com using realm AD.EXAMPLE.COM, the Windows server is server.ad.example.com, and the client host where SSSD is running is client.ad.example.com. Reboot Windows during installation and setup when prompted and complete the needed steps as Administrator. Operating System Installation ¶ Boot from the Windows 2008 Server DVD Install Windows 2008 Server using the hostname server.ad.example.comMake sure server.ad.example.com is in DNS Domain Configuration ¶ Enabling LDAP Searches ¶ In order to allow SSSD to do LDAP searches for user information in AD SSSD must be configured to bind with SASL/GSSAPI or DN/password. Using SASL/GSSAPI Binds for LDAP Searches ¶ Create the service keytab for the host running SSSD on AD. Creating Service Keytab with Samba ¶ /etc/samba/smb.conf ¶ Authenticate and Integrate Linux with Active Directory. Interop Authenticate Linux Clients with Active Directory Gil Kirkpatrick At a Glance: How authentication works in Windows and Linux Using Samba and Winbind Implementation strategies Walking through the Linux-to-Active Directory integrationItem Republicans and Democrats.
I'm a Windows guy, and I've certainly poked fun at my Linux-oriented colleagues, but we all have the same goal of providing high-quality and cost-effective IT services to the organization. Windows Authentication Windows has shipped with an integrated network authentication and single sign-on system for quite some time now. Starting with Windows 2000, Microsoft moved from NTLM to Active Directory and its integrated Kerberos authentication services. Linux Authentication Originally, Linux (and the GNU tools and libraries that run on it) was not built with a single authentication mechanism in mind. The resulting plethora of authentication mechanisms was unmanageable.
Configuring your Linux box to be a full AD member. These instructions assume a good understanding of unix system administration.
Read through them first and make sure that you understand the implications of all the parts before you begin, particularly from a system security point of view. The examples given here have been tested on Fedora 15 and Ubuntu 12.04 Linux systems. Prior to Fedora 15, the SSSD service did not fully support Active Directory integration. Other distributions have not been tested with this configuration (please let me know if you do such a test, whether you succeed or not).
If your favorite Linux distribution includes a recent version of SSSD, these instructions may also work for you (please let me know if they do). There are some older instructions that work in a slightly different way, and were tested on previous versions of Fedora and Ubuntu Linux. There are some even older instructions that work in another different way, that might also be of interest.
Aims Additional package: msktutil Fedora Ubuntu System Time #! An Active Directory Keytab Manager.