RHEL 8 SSSD

2 minute read

Description:

Here are the steps I did recently to configure SSSD on a RHEL 8 box I deployed in Azure.

To Resolve:

  1. Join realm :

    1
2
3
4

    # Install key components required to make joining to the domain and access control work:
yum install realmd oddjob oddjob-mkhomedir sssd adcli -y
# Join to company domain:
realm join company.com -U myADAccount
    • Overwrite the /etc/sssd/sssd.conf file to include the following:
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

    [sssd]
domains = domain.com
config_file_version = 2
services = nss, pam
[domain/domain.com]
access_provider = simple
ad_domain = domain.com
auth_provider = ad
auto_private_groups = true
cache_credentials = True
case_sensitive = true
debug_level = 9
default_shell = /bin/bash
override_homedir = /home/%u
id_provider = ad
krb5_realm = domain.com
krb5_store_password_if_offline = True
ldap_id_mapping = False
ldap_use_tokengroups = False
realmd_tags = manages-system joined-with-samba
use_fully_qualified_names = False
    • Now continue: vi /etc/sssd/conf.d/default.conf
    1
2

    [domain/domain.com]
simple_allow_groups = thisRHEL8Server.domain.com Administrators
    • This file can include multiple groups as comma-separated values. The group(s) must exist in AD and have a GID assigned. Users within the group also require a GID and UID populated.
    • If the AD groups contains a space, enter the group as-is from AD.

  2. Create the group ‘thisRHEL8Server.domain.com Administrators’ in Active Directory and move the computer object from the previous step to the correct OU if you need to.

  3. Add to sudoers. Type visudo and scroll down to the %wheel line and insert the group from above:

    1
2
3

    ## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
%thisRHEL8Server.domain.com\ Administrators      ALL=(ALL)       ALL
    • or
    1
2

    echo "%thisRHEL8Server.domain.com\ administrators  ALL=(ALL)  ALL" > /etc/sudoers.d/thisRHEL8Server
visudo -cf /etc/sudoers.d/thisRHEL8Server

  4. Clean up changes to SSSD and reboot

    1
2
3
4

    sss_cache -E
systemctl stop sssd
rm -rf /var/lib/sss/db/*
reboot

  5. In general, if you ever make changes to SSD, you need to run the following:

    1
2
3
4

    sss_cache -E
systemctl stop sssd
rm -rf /var/lib/sss/db/*
systemctl start sssd

  6. Troubleshooting topics:

    • In Active Directory, be sure to set gidnumber for the administrators group mentioned above.
    • If possible, remove nested groups. This hasn’t been tested well, but with many of our servers it is much easier to manage SSSD when the AD groups don’t have nested groups.
    • For each member in AD group, make sure they have a gidnumber and uidnumber AD attribute assigned and that they are DIFFERENT.
    • On server run: id aduser and getent group "ad-group-name" and evaluate their outputs to see if SSSD can see the groups.

Comments

You May Also Enjoy