Categories

ID #1158

How do I integrate Bright with AD Using SSSD 's LDAP provider and Simple BIND?

How do I integrate a Bright cluster into an Active Directory domain with SSSD 's LDAP provider?

 

 

SSSD (System Security Services Daemon) provides advanced authentication via local caching for a variety of services. This article describes how an administrator can integrate a Bright cluster into a single AD domain with SSSD. For multiple AD domains, the addendum in  How do I authenticate against mulitiple AD servers using SSSD capabilities?( http: //kb.brightcomputing.com/faq/index.php?action=artikel&id=223) should be followed after this article.

 

Login access is the only service provided; i.e. user information will be retrieved from AD and the authentication will go over SSSD.

 

Notes

1. The following steps were tested on RHEL6/RHEL7. For RHEL5 minor modifications will be required.

Joining an AD domain is much simpler in RHEL7. It just involves running these two steps:< br/>$ realm discover --verbose domain.example.com
* Resolving: _ldap._tcp.dc._msdcs.domain.example.com * Sending MS-CLDAP ping to: 192.168.20.10 * Sending MS-CLDAP ping to: 192.168.12.12
* Successfully discovered: domain.example.com ... $ realm join --client-software=sssd domain.example.com
 

 

Head Node(s) Configurations

To save the old configuration,  back up /etc/krb5.conf, /etc/sssd/sssd.conf, /etc/pam.d/password-auth, /etc/pam.d/system-auth, and /etc/nsswitch.conf before going ahead with the changes.

 

Update Authentication Method

The authentication method should be updated so that the Pluggable Authentication Module (PAM) for SSSD is used instead of the PAM UNIX module. The “authconfig” tool should be used for configuring RHEL-based distributions, rather than doing the configurations manually. If authconfig is unavailable, then /etc/pam.d/password-auth, /etc/pam.d/system-auth, and /etc/nsswitch.conf should be edited manually.

 

1. Using the authconfig tool:

# authconfig --enablemkhomedir --enablesssd --enablesssdauth --updateall

 

Notes:

For RHEL7, installing the following packages is required, otherwise, you'll receive errors while running the authconfig tool.

# yum install sssd-ldap sssd-krb5 krb5-workstation sssd-client sssd-tools sssd-common


2. Modifying files manually:

 

/etc/pam.d/password-auth

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass

auth required pam_deny.so


account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account required pam_permit.so


password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password required pam_deny.so


session optional pam_keyinit.so revoke

session required pam_limits.so

session optional pam_oddjob_mkhomedir.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

 

/etc/pam.d/system-auth

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass

auth required pam_deny.so

 

account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account required pam_permit.so

 

password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password required pam_deny.so

 

session optional pam_keyinit.so revoke

session required pam_limits.so

session optional pam_oddjob_mkhomedir.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so


/etc/nsswitch.conf

passwd: files sss

shadow: files sss

group: files sss

 

For RHEL7 with Bright 7.3, the files will look like the following:

# cat /etc/pam.d/password-auth

auth required pam_env.so

auth [default=1 success=ok] pam_localuser.so

auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

auth sufficient pam_sss.so forward_pass

auth sufficient pam_ldap.so use_first_pass

auth required pam_deny.so

 

account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account [default=bad success=ok user_unknown=ignore] pam_ldap.so

account required pam_permit.so

 

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password sufficient pam_ldap.so use_authtok

password required pam_deny.so

 

session optional pam_keyinit.so revoke

session required pam_limits.so

-session optional pam_systemd.so

session optional pam_mkhomedir.so umask=0077

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

session optional pam_ldap.so

 

# cat /etc/pam.d/system-auth

 

auth required pam_env.so

auth [default=1 success=ok] pam_localuser.so

auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

auth sufficient pam_sss.so forward_pass

auth sufficient pam_ldap.so use_first_pass

auth required pam_deny.so

 

account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account [default=bad success=ok user_unknown=ignore] pam_sss.so

account [default=bad success=ok user_unknown=ignore] pam_ldap.so

account required pam_permit.so

 

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_sss.so use_authtok

password sufficient pam_ldap.so use_authtok

password required pam_deny.so

 

session optional pam_keyinit.so revoke

session required pam_limits.so

-session optional pam_systemd.so

session optional pam_mkhomedir.so umask=0077

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_sss.so

session optional pam_ldap.so

 

Notes

1. The authconfig command will also modify /etc/nsswitch.conf so that the user information is retrieved from the AD domain.

2. In RHEL5, /etc/pam.d/password-auth can be skipped as it just inherits from /etc/pam.d/system-authand it's also renamed as passwd.

3. In RHEL5, the openldap24-libs package may need to be installed as the authconfig tool may complain about some missing libraries.

4. In RHEL5, --enablesssdauth should be replaced with --enablesssd so that nsswitch.conf will updated to use SSSD.

5. The option "--enablemkhomedir" will add pam_mkhomedir.so or pam_oddjob_mkhomedir.so to system-auth which will take care of creating the home directory for a user, if it does not exist, when the session begins.

6. The nscd service should be disabled when the sssd service is enabled.

 

Update SSSD Configurations

The following sssd.conf has the minimum required configuration parameters to be able to query the AD. Other configuration parameters can be added as needed according to the AD setup and the requirements of the environment. If sssd.conf is recreated, then the permissions should be changed to be ‘0600’ (chmod 0600 /etc/sssd/sssd.conf), otherwise the sssd service will fail to start.

 

/etc/sssd/sssd.conf

[sssd]

domains = BCM.LOCAL

services = nss, pam

config_file_version = 2

#sbus_timeout = 30


[nss]

filter_groups = root

filter_users = root


[pam]

offline_credentials_expiration = 0


[domain/BCM.LOCAL]

# changing or commenting this value will not allow sssd service to start

id_provider = ldap


# to find the AD server

ldap_uri = ldap://win2008.bcm.local

access_provider=ldap

 

# Enable local caching for users and groups

cache_credentials = true

 

# LDAP search base 

ldap_search_base = dc=bcm,dc=local


# allow access to what is defined here

ldap_access_order = filter, expire

ldap_account_expire_policy = ad

 

ldap_access_filter = memberOf=cn=brightusers,cn=Users,dc=bcm,dc=local


# User that can read from AD, any normal user should work as long as it

# can get a ticket. Update as necessary. Should work as long as the user 

# can get a ticket, even if the user has readonly access. Use username only 

# if the ldap_search_base is specified, otherwise, the user name with the

# search base should be used

# ldap_default_bind_dn = cn=Administrator,cn=Users,dc=bcm,dc=local

ldap_default_bind_dn = Administrator

 

# Leave this as password

ldap_default_authtok_type = password


# The ldap users actual password, update as necessary

ldap_default_authtok = Ch@ngeMe


# to get user information (UID/GID) from the active directory

#ldap_user_object_class = user

#ldap_user_home_directory = unixHomeDirectory

#ldap_group_object_class = group

#ldap_force_upper_case_realm = True

ldap_schema=ad


# allow getent to query the AD

enumerate = true


# kerberos config

auth_provider = krb5

krb5_server = win2008.bcm.local

krb5_realm = BCM.LOCAL


Notes:

1. BCM.LOCAL is the AD domain name.

2. win2008.bcm.local is the fully qualified machine name which hosts the AD domain.

3. you can verify that the sssd configuration parameters are correct by manually obtaining a Kerberos ticket (kinit Administrator) and performing an LDAP query with the specified bind. If you weren't able to perform the LDAP query or the result wasn't "Success", then you'll need to modify either the authentication information or the bind information. An example of an LDAP query is:


# ldapsearch -H ldap://win2008.bcm.local -Y GSSAPI -N -b "cn=Administrator,cn=Users,dc=bcm,dc=local"

 

4. you may need to set "debug_level = 9" in sssd.conf for more debug information that will help in identifying problems. Don't forget to unset it later or your logs may grow by unnecessarily large amounts.

5. sssd log files can be found under /var/log/sssd/

6. In RHEL5, the sssd package may not be installed by default, so it should be installed first.


Update Kerberos Configurations

The following krb5.conf has the minimum required configuration parameters to be able to query the AD for existing hosts and clients principals. It’s important to note here that the Bright head node should be added to the list of Computers in the AD domain. Also, the users and groups should be properly configured in the AD domain.


/etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log


[libdefaults]

default_realm = BCM.LOCAL

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true


[realms]

BCM.LOCAL = {

kdc = win2008.bcm.local

admin_server = win2008.bcm.local

}


[domain_realm]

.bcm.local = BCM.LOCAL

bcm.local = BCM.LOCAL


Update /etc/hosts if Necessary

Add an entry for the AD domain outside the autogenerated section in /etc/hosts if the AD domain can't be resolved via the currently used DNS:


/etc/hosts

# This section of this file was automatically generated by cmd. Do not edit manually!

# BEGIN AUTOGENERATED SECTION -- DO NOT REMOVE

[...]

# END AUTOGENERATED SECTION   -- DO NOT REMOVE

10.2.184.194            win2008.bcm.local win2008

 

Enable user portal to Retrieve Information From AD

Edit /etc/pam.d/php and change the contents

from

auth sufficient pam_ldap.so

account sufficient pam_ldap.so

to

auth sufficient pam_sss.so

account sufficient pam_sss.so


Add a Computer to an AD domain

1. Click on Start → Administrative Tools → Active Directory Users and Computers

2. Right click on Computers under the AD domain tree → New → Computer

3. Fill in the Computer name with the Bright head node hostname and click “OK”

4. Double click on the newly created Computer, switch to UNIX Attributes tab, choose the correct NIS Domain and the IP address of the Computer.


Add a Group to an AD domain

1. Click on Start → Administrative Tools → Active Directory Users and Computers

2. Right click on Users under the AD domain tree → New → Group

3. Fill in the Group name and click “OK”

4. Double click on the newly created Group, switch to UNIX Attributes tab, choose the correct NIS Domain.


Add a User to an AD domain

1. Click on Start → Administrative Tools → Active Directory Users and Computers

2. Right click on Users under the AD domain tree → New → User

3. Fill in the details of the User and click “OK”

4. Double click on the newly created User, switch to UNIX Attributes tab, choose the correct NIS Domain, login shell, and the primary group.


Allow Compute Nodes to Query the AD domain

1. Copy the following configuration files from the head node into the software image:

a. /etc/sssd/sssd.conf

b. /etc/krb5.conf

c. /etc/pam.d/system-auth

d. /etc/pam.d/password-auth

e. /etc/nsswitch.conf


2. Add the node to the AD domain as a computer (this step should be done for all nodes).

3. Reboot the compute nodes to be provisioned with the modified image.


OR


1. Copy sssd.conf and krb5.conf from the head node to one of the compute node.

2. Configure PAM and nsswitch.conf manually or using authconfig tool as described earlier.

3. Add the node to the AD domain as a computer (this step should be done for all nodes)

4. grab the image from the configured node to software image stored in CMDaemon:

# cmsh

% device use node001

% grabimage -w

5. Reboot the other nodes to be provisioned with the modified image.

 

Creation Of Custom Certificates With Profiles, For Users Managed By An External LDAP

Generating a certificate for an external LDAP user must be done explicitly in Bright Cluster Manager. The script external-user-cert.py does this, embedding the user and profile in the certificate during the process. Please refer to the Administrator Manual on how to use external-user-cert.py.

 

 

Troubleshooting

 

1. User mapping doesn't work

  • Make sure that the Identity Management for UNIX (IMU) is installed. IMU is an additional role service that enables RHEL systems to integrate with AD, and it is standard on Windows Server 2008 R2. The IMU service can be added by opening Server Manager, choosing Roles --> Active Directory Domain Services, click on Add Role Serivces, check IMU and follow the on screen steps to get it installed.
  • To enable IMU for Windows Server 2012 R2, you need to run "Dism.exe /online /enable-feature /featurename:adminui /all" from Windows power shell.
  • Without IMU, the SSSD won't be able to retrieve users' from the Active Directory.

 

2. I can't find the AD users on the cluster

a. Make sure that the AD user which is being used in sssd.conf can get a kerberos ticket. If the user can't access the AD, you'll find a message similar to the following in /var/log/sssd/sssd_<DOMAIN>.log

 

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [simple_bind_send] (0x0100): Executing simple bind as: Administrator

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [sdap_op_add] (0x2000): New operation 2 timeout 6

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_result] (0x2000): Trace: sh[0x5555557b3a30], connected[1], ops[0x5555557b8020], ldap[0x55555578b780]

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_result] (0x2000): Trace: sh[0x5555557b3a30], connected[1], ops[0x5555557b8020], ldap[0x55555578b780]

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [simple_bind_done] (0x1000): Server returned no controls.

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, dat

a 52e, v23f0

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [sdap_op_destructor] (0x2000): Operation 2 finished

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c:

sdap_cli_connect_recv: 2023

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'win2012.bcm.local' as 'not working'

(Thu Oct 13 15:09:55 2016) [sssd[be[BCM.LOCAL]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'win2012.bcm.local' as 'not working'

 

b. Make sure that the IMU attributes are set, namely: uid, uidNumber, gidNumber, unixHomeDirectory, loginShell. If those attributes are not set, then you may find an error message similar to the folloing in /var/log/sssd/sssd_<DOMAIN>.log

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=adel)(objectclass=user)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn

=Users,dc=bcm,dc=local].

[...]

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_op_add] (0x2000): New operation 3 timeout 6

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do.

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_result] (0x2000): Trace: sh[0x5555557c16f0], connected[1], ops[0x5555557cd1c0], ldap[0x5555557ba900]

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_result] (0x2000): Trace: sh[0x5555557c16f0], connected[1], ops[0x5555557cd1c0], ldap[0x5555557ba900]

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_op_destructor] (0x2000): Operation 3 finished

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.

(Thu Oct 13 16:07:33 2016) [sssd[be[BCM.LOCAL]]] [sdap_get_users_done] (0x0040): Failed to retrieve users

[...]

Tags: -

Related entries:

You cannot comment on this entry