The System Security Services Daemon is a system daemon that provides access to identity and authentication remote resources. It provides PAM and NSS modules which support Kerberos binds to LDAP servers. This makes the configuration of a Red Hat based system a matter of installing the sssd package and configuring the package for the Stanford environment.
Since the mapping capabilities of SSSD is quite limited the Posix attributes presented to the via PAM/NSS using SSSD are generally immutable.
The following configuration steps assume that the neither SSSD nor the supporting software have been installed on a Red Hat system.
Install Supporting Software
If the system already has Kerberos and OpenAFS installed this section can be skipped.
- Install Kerberos and some utilities.
yum install krb5-workstation kstart cyrus-sasl-gssapi
- Copy a Stanford krb5.conf file into place.
scp sunetid@cardinal.stanford.edu:/etc/krb5.conf /etc/krb5.conf
- Install wallet software. Wallet is used to download Kerberos keytabs. See the Wallet documentation for detailed information.
- Download the keytab for the system using wallet.
su - root kinit your-sunetid wallet get -f /etc/krb5.keytab keytab host/<hostname>
- Install the openafs-client package. This is required if the home directories are on AFS. OpenAFS is not required and the homeDirectory values stored in the Stanford LDAP directory can be overridden using the PAM/NSS configuration.
yum install openafs-client
- Optionally install LDAP command line clients. Having these utilities available is advisable to debug problems.
yum install openldap-clients
Install and Configure SSSD
- Install sssd.
yum install sssd
- Create the file /etc/sssd/sssd.conf. This following is an example of a working sssd.conf configuration file.
[sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] filter_users = root filter_groups = root [pam] [domain/LDAP] #debug_level = 5 #ldap_purge_cache_timeout = 1 enumerate = false id_provider = ldap # ldap_uri = ldap://ldap.stanford.edu - only use this if your system cannot reach to ldap-prod.stanford.edu:389 ldap_uri = ldap://ldap-prod.stanford.edu ldap_search_base = cn=accounts,dc=stanford,dc=edu?sub?suPrivilegeGroup=stem:workgroup ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/<hostname>.stanford.edu@stanford.edu ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400 ldap_group_search_base = cn=groups,dc=stanford,dc=edu?sub?objectClass=* ldap_group_object_class = suPosixGroup ldap_group_name = suGroupCN ldap_group_number = gidNumber ldap_group_member = memberUid # Disable sudoer related queries ldap_sudo_smart_refresh_interval = 0 auth_provider = krb5 krb5_server = 171.67.218.5,171.67.218.6,171.67.218.7 krb5_kpasswd = 171.67.218.5 krb5_realm = stanford.edu cache_credentials = true - Make sure permissions on the sssh.conf file are correct.
chmod 0600 /etc/sssd/sssd/conf
- Update the /etc/nsswitch.conf file to retrieve Posix attributes from the LDAP server.
passwd: compat sss group: compat sss
- Configure PAM to use sssd.
# # /etc/pam.d/password-auth # auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so # account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so # password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so # session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
- Restart the sssd daemon to pick up the configuration changes.
service sssd restart
