10

I have successfully configured sssd and can ssh into a system with AD credentials what I am missing is the creation of a home directory and bash set as the shell.

My assumption is that if I log on to a system that does not already have a local linux account but which does have a valid AD account that a home directory is created the first time that user logs in and the appropriate shells is set as defined in /etc/sssd/sssd.conf:

override_homedir = /home/%u
default_shell = /bin/bash

I have also run

authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

What am I missing or am I making an incorrect assumption about my existing configuration?

I want to avoid using the deprecated Identity Management for Unix feature of Windows.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
grahamjgreen
  • 841
  • 2
  • 8
  • 12
  • What operating system distribution and version? – ewwhite Mar 18 '15 at 04:06
  • I am using CentOS 6.6 and Windows Server 2008 R2 – grahamjgreen Mar 18 '15 at 04:29
  • To configure Identity Management systems, Red Hat recommends using the ipa-client-install utility or the **realmd** system instead of authconfig. The authconfig utilities are limited and substantially less flexible. For more information, see Section 2.1, “Identity Management Tools for System Authentication”. – junior ruby developer Nov 16 '20 at 12:18

4 Answers4

6

This issue was solved by moving the entries

override_homedir = /home/%u
default_shell = /bin/bash

from the [sssd] section of sssd.conf to [domain/lab.local]

grahamjgreen
  • 841
  • 2
  • 8
  • 12
  • 1
    Ah, that's expected, then. We really should implement the config validator one of these days. The override_homedir and default_shell options are in effect only in the [nss] and [domain] sections, with domain taking precedence of nss options. – jhrozek Mar 24 '15 at 09:01
  • Can you check this as the accepted answer? The RHEL AD Integration Guide has the entries you mentioned in the wrong place and your answer solved my problem. Many thanks. – user2150250 Aug 23 '16 at 15:21
2

There are two parts of the equation. One is in SSSD and the Name Service Switch interface in particular. That part reports what the home directory is on the system and you can test it with "getent passwd $username". As long as that command gives you accurate answers, then SSSD is working as it should.

The other part is creating the home directories actually. I would recommend to use oddjob and pam_oddjob_mkhomedir there over old pam_mkhomedir. In my experience, it plays better with SELinux.

Look into /var/log/secure for error messages from the PAM modules..

jhrozek
  • 1,320
  • 6
  • 5
1

Please see this post first: Common wisdom about Active Directory authentication for Linux Servers?

For RHEL/CentOS 6.x systems, I do:

  • Authconfig with the right initial SSSD settings.
  • Modify sssd.conf to taste.
  • Modify and configure oddjobd.

For authconfig, something like:

authconfig --enablesssd --ldapserver=ldap://dc1.ad.blahblah.com --ldapbasedn="dc=ad,dc=blahblah,dc=com" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.ad.blahblah.com --krb5realm=AD.BLAHBLAH.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall

  • My simple sssd.conf would look like this: http://pastebin.com/Aa2XsYhh - Restart the sssd service after modifying the configuration.

  • I then install oddjob-mkhomedir with: yum install oddjob-mkhomedir- You can tune home directory permissions to taste in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

  • Make sure the sssd and oddjob services are set to start on boot.

That should be all that's needed.

Community
  • 1
ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • The config is OK-ish if for whatever reason you can't use GSSAPI, but it definitely should not be suggested as a default! The default configs these days should use GSSAPI for authentication, see the sssd upstream guide - https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server – jhrozek Mar 19 '15 at 14:27
0

It works for me on CentOS 7 when i login via SSHD. The location where the home directory created is the "session" management group that's part of PAM.

From the pam(8) manpage:

    session - this group of tasks cover things that should be done prior to a service being given and after it is
   withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory.
   The session management group is important as it provides both an opening and closing hook for modules to
   affect the services available to a user.

In /etc/pam.d/password-auth you will find this line: session optional pam_oddjob_mkhomedir.so umask=0077

which takes care of home directory creation.

Make sure you have installed and enabled the package oddjob-mkhomedir.

neuhaus
  • 191
  • 1
  • 4