RHEL 8 SSSD

2 minute read

Description:

Here are the steps I did recently to configure SSSD on a RHEL 8 box I deployed in Azure.

To Resolve:

  1. Join realm :

    1
    2
    3
    4
    
    # Install key components required to make joining to the domain and access control work:
    yum install realmd oddjob oddjob-mkhomedir sssd adcli -y
    # Join to company domain:
    realm join company.com -U myADAccount
    
    • Overwrite the /etc/sssd/sssd.conf file to include the following:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    
    [sssd]
    domains = domain.com
    config_file_version = 2
    services = nss, pam
    [domain/domain.com]
    access_provider = simple
    ad_domain = domain.com
    auth_provider = ad
    auto_private_groups = true
    cache_credentials = True
    case_sensitive = true
    debug_level = 9
    default_shell = /bin/bash
    override_homedir = /home/%u
    id_provider = ad
    krb5_realm = domain.com
    krb5_store_password_if_offline = True
    ldap_id_mapping = False
    ldap_use_tokengroups = False
    realmd_tags = manages-system joined-with-samba
    use_fully_qualified_names = False
    
    • Now continue: vi /etc/sssd/conf.d/default.conf
    1
    2
    
    [domain/domain.com]
    simple_allow_groups = thisRHEL8Server.domain.com Administrators
    
    • This file can include multiple groups as comma-separated values. The group(s) must exist in AD and have a GID assigned. Users within the group also require a GID and UID populated.
    • If the AD groups contains a space, enter the group as-is from AD.
  2. Create the group ‘thisRHEL8Server.domain.com Administrators’ in Active Directory and move the computer object from the previous step to the correct OU if you need to.

  3. Add to sudoers. Type visudo and scroll down to the %wheel line and insert the group from above:

    1
    2
    3
    
    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    %thisRHEL8Server.domain.com\ Administrators      ALL=(ALL)       ALL
    
    • or
    1
    2
    
    echo "%thisRHEL8Server.domain.com\ administrators  ALL=(ALL)  ALL" > /etc/sudoers.d/thisRHEL8Server
    visudo -cf /etc/sudoers.d/thisRHEL8Server
    
  4. Clean up changes to SSSD and reboot

    1
    2
    3
    4
    
    sss_cache -E
    systemctl stop sssd
    rm -rf /var/lib/sss/db/*
    reboot
    
  5. In general, if you ever make changes to SSD, you need to run the following:

    1
    2
    3
    4
    
    sss_cache -E
    systemctl stop sssd
    rm -rf /var/lib/sss/db/*
    systemctl start sssd
    
  6. Troubleshooting topics:

    • In Active Directory, be sure to set gidnumber for the administrators group mentioned above.
    • If possible, remove nested groups. This hasn’t been tested well, but with many of our servers it is much easier to manage SSSD when the AD groups don’t have nested groups.
    • For each member in AD group, make sure they have a gidnumber and uidnumber AD attribute assigned and that they are DIFFERENT.
    • On server run: id aduser and getent group "ad-group-name" and evaluate their outputs to see if SSSD can see the groups.

Comments