Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Integrate RHEL with Active Directory
Special Forums Windows & DOS: Issues & Discussions Integrate RHEL with Active Directory Post 302884068 by gull04 on Friday 17th of January 2014 10:14:08 AM
Old 01-17-2014
Hi Stuart,

It's working against the AD for all of it's stuff, possibly better if I incorporate the sssd,conf file here.

We are running a very similar setup to yours, with an 18 node cluster using GFS at the back end with automount for home directories etc.

Code:
[15:06 sc386dm@ekbvcad301 data] > cat orig.sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = XXXXXXXXXXXXX

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3
#ldap_schema = rfc2307bis
ldap_schema = rfc2307
ldap_user_search_base = cn=Users,dc=xxx,dc=xxxxx,dc=com
ldap_group_search_base = cn=Users,dc=xxx,dc=xxxxx,dc=com
ldap_default_bind_dn = cn=admintest,cn=Users,dc=xxx,dc=xxxxx,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = XXXXXXXX
ldap_force_upper_case_realm = True

[domain/EKB.ATMEL.COM]
description = LDAP auth to AD2003
min_id = 100
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://kdc1.xxx.xxxxx.com
ldap_schema = rfc2307bis
ldap_search_base = cn=Users,dc=xxx,dc=xxxxx,dc=com
ldap_default_bind_dn = cn=admintest,cn=Users,dc=xxx,dc=xxxxx,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = XXXXXXXX
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
enumerate = true
chpass_provider = krb5
auth_provider = krb5
krb5_kdcip = 10.143.253.183
krb5_realm = XXX.XXXXX.COM
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15

#cache_credentials = True
#ldap_id_use_start_tls = False
debug_level = 9
krb5_kpasswd = kdc1.xxx.xxxxx.com:749
#ldap_search_base = cn=Users,dc=xxx,dc=xxxxx,dc=com
#krb5_realm = XXX.XXXXX.COM
#chpass_provider = krb5
#krb5_kdcip = kdc1.xxx.xxxxx.com:88
#ldap_tls_cacertdir = /etc/openldap/cacerts
[15:10 sc386dm@ekbvcad301 data] >

Anywhere you see 'x' or 'X' you'll have to substitute your own stuff - I have to leave now - but will check back when I get home (5 Hours).

Regards

Gull04
 

7 More Discussions You Might Find Interesting

1. Windows & DOS: Issues & Discussions

unix and active directory

Hi Does anybody know the steps and requirements of the installation process of Windows Active Directory using Unix/Linux Bind DNS. I will appreciate if somebody gives the answer. (1 Reply)
Discussion started by: Darwin Rodrigue
1 Replies

2. UNIX for Dummies Questions & Answers

Active Directory and UNIX

Hello - I have a very vague question, which will probably result in vague answers because I don't have a lot of detailed information and I don't know a whole lot about active directory. Our Windows/NT admin has been rolling out Active Directory over the past several weeks and as time goes on,... (1 Reply)
Discussion started by: rm -r *
1 Replies

3. UNIX for Dummies Questions & Answers

setup active directory

i would like to ask about unix with active directory..actually my situation is at ny place there already have dns server in unix based,i want to implement an active directory to the network..from what i read about active directory we have to used bind dns...some say that bind could not handle in... (1 Reply)
Discussion started by: nour
1 Replies

4. HP-UX

HP-UX authenticating to Active Directory

Hey, I've asked questions about this project here before and gotten lots of help so I figured I'd give it another try. I've recently set up my HP-UX environment to authenticate to a Windows Active Directory server (Windows Server 2003 R2). I setup an account on Active Directory which works... (2 Replies)
Discussion started by: Rike255
2 Replies

5. Red Hat

ldap and active directory

Hi Friends, I need your help to get some solution of one of my problem. Ours is a mixed domain. Most of the servers are windows and very little linux servers. We are using the MS AD for authentication. My problem is, I want to authenticate linux servers against AD. I donot want to use any... (1 Reply)
Discussion started by: arumon
1 Replies

6. UNIX for Advanced & Expert Users

Active Directory with 6.1

Is there anyone who is utilizing Active Directory (2008R2) for AIX user account management? If yes or if AD is possible with AIX systems, can you please share what to be done to get there? Please advise. (1 Reply)
Discussion started by: Daniel Gate
1 Replies

7. UNIX for Beginners Questions & Answers

Active Directory OR LDAP

Hi, How can we check users added through LDAP or AD. Users added through a group of AD or LDAP group. (2 Replies)
Discussion started by: Nishit
2 Replies

LEARN ABOUT CENTOS

sssd-sudo

SSSD-SUDO(5)						   File Formats and Conventions 					      SSSD-SUDO(5)

NAME

       sssd-sudo - Configuring sudo with the SSSD back end

DESCRIPTION

       This manual page describes how to configure sudo(8) to work with sssd(8) and how SSSD caches sudo rules.

CONFIGURING SUDO TO COOPERATE WITH SSSD

       To enable SSSD as a source for sudo rules, add sss to the sudoers entry in nsswitch.conf(5).

       For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users)
       and then in SSSD, the nsswitch.conf file should contain the following line:

	   sudoers: files sss

       More information about configuring the sudoers search order from the nsswitch.conf file as well as information about the LDAP schema that
       is used to store sudo rules in the directory can be found in sudoers.ldap(5).

       Note: in order to use netgroups or IPA hostgroups in sudo rules, you also need to correctly set nisdomainname(1) to your NIS domain name
       (which equals to IPA domain name when using hostgroups).

CONFIGURING SSSD TO FETCH SUDO RULES

       All configuration that is needed on SSSD side is to extend the list of services with "sudo" in [sssd] section of sssd.conf(5). To speed up
       the LDAP lookups, you can also set search base for sudo rules using ldap_sudo_search_base option.

       The following example shows how to configure SSSD to download sudo rules from an LDAP server.

	   [sssd]
	   config_file_version = 2
	   services = nss, pam, sudo
	   domains = EXAMPLE

	   [domain/EXAMPLE]
	   id_provider = ldap
	   sudo_provider = ldap
	   ldap_uri = ldap://example.com
	   ldap_sudo_search_base = ou=sudoers,dc=example,dc=com

       When the SSSD is configured to use IPA as the ID provider, the sudo provider is automatically enabled. The sudo search base is configured
       to use the compat tree (ou=sudoers,$DC).

THE SUDO RULE CACHING MECHANISM

       The biggest challenge, when developing sudo support in SSSD, was to ensure that running sudo with SSSD as the data source provides the same
       user experience and is as fast as sudo but keeps providing the most current set of rules as possible. To satisfy these requirements, SSSD
       uses three kinds of updates. They are referred to as full refresh, smart refresh and rules refresh.

       The smart refresh periodically downloads rules that are new or were modified after the last update. Its primary goal is to keep the
       database growing by fetching only small increments that do not generate large amounts of network traffic.

       The full refresh simply deletes all sudo rules stored in the cache and replaces them with all rules that are stored on the server. This is
       used to keep the cache consistent by removing every rule which was deleted from the server. However, full refresh may produce a lot of
       traffic and thus it should be run only occasionally depending on the size and stability of the sudo rules.

       The rules refresh ensures that we do not grant the user more permission than defined. It is triggered each time the user runs sudo. Rules
       refresh will find all rules that apply to this user, check their expiration time and redownload them if expired. In the case that any of
       these rules are missing on the server, the SSSD will do an out of band full refresh because more rules (that apply to other users) may have
       been deleted.

       If enabled, SSSD will store only rules that can be applied to this machine. This means rules that contain one of the following values in
       sudoHost attribute:

       o   keyword ALL

       o   wildcard

       o   netgroup (in the form "+netgroup")

       o   hostname or fully qualified domain name of this machine

       o   one of the IP addresses of this machine

       o   one of the IP addresses of the network (in the form "address/mask")

       There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in
       sssd.conf(5).

SEE ALSO

       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sss_cache(8), sss_debuglevel(8),
       sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8),pam_sss(8).

AUTHORS

       The SSSD upstream - http://fedorahosted.org/sssd

SSSD
								    06/17/2014							      SSSD-SUDO(5)
All times are GMT -4. The time now is 07:50 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy