I've installed a MIT KDC instance backed by an OpenLDAP instance, all running on RHEL 7. I'm wanting to configure SSSD to pull users and groups from this combination, but I'm running into a lot of issues, since most documentation assumes AD.
The issue I'm stuck on right now is that SSSD, from the logs, appears to need some sort of numeric ID for each user, which it uses to create a UID locally. Problem is, the KDC doesn't appear to be storing that in LDAP at all. I'm also noticing that the KDC is only storing the full principal (user@DOMAIN.COM), which means when I try to log in as just the user name, I don't have any fields to point SSSD to to use.
Is there anyway to get the KDC to store more information in LDAP, or a way to get SSSD to work with what we've got?
Also, any documentation on making a connection like this would be much appreciated.
SSSD Config:
[sssd]
services = nss, pam
domains = DOMAIN.COM
debug_level = 10
[nss]
debug_level = 10
[pam]
debug_level = 10
[domain/DOMAIN.COM]
debug_level = 10
id_provider = ldap
auth_provider = krb5
access_provider = ldap
chpass_provider = krb5
dyndns_update = False
realmd_tags = manages-system joined-with-samba
cache_credentials = False
enumerate = False
entry_cache_timeout = 86400
min_id = 1000000
default_shell = /bin/bash
fallback_homedir = /home/%u@%d
use_fully_qualified_names = True
#LDAP Configuration
ldap_uri = ldap://ldapserver:389
ldap_search_base = dc=domain,dc=com
ldap_user_search_base = dc=domain,dc=com
ldap_group_search_base = dc=domain,dc=com
ldap_id_mapping = True
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000
ldap_idmap_default_domain = <DOMAIN>
ldap_access_filter = &(objectClass=krbPrincipal)
ldap_user_object_class = krbPrincipal
ldap_user_name = krbPrincipalName
ldap_user_principal = krbPrincipalName
ldap_user_fullname = krbPrincipalName
ldap_user_uid_number = krbPrincipalName
ldap_user_objectsid = krbPrincipalName
#KRB5 Configuration
krb5_server = kdc_server
krb5_realm = DOMAIN.COM
Sample Entry:
dn: krbPrincipalName=test-user2@DOMAIN.COM,cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com
ufn: test-user2@DOMAIN.COM, DOMAIN.COM, kerberos, DOMAIN.com
krbLoginFailedCount: 0
krbPrincipalName: test-user2@DOMAIN.COM
krbPrincipalKey:: ...
krbLastPwdChange: 20190524234020Z
krbExtraData:: ...
krbExtraData:: ...
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux