Introduction to SSSD and Realmd

Starting from Red Hat 7 and CentOS 7, SSSD or ‘System Security Services Daemon’  and realmd have been introduced. SSSD’s main function is to access a remote identity and authentication resource through a common framework that provides caching and offline support to the system. SSSD provides PAM and NSS integration and a database to store local users, as well as core and extended user data retrieved from a central server. 

The main reason to transition from Winbind to SSSD is that SSSD can be used for both direct and indirect integration and allows to switch from one integration approach to another without significant migration costs. The most convenient way to configure SSSD or Winbind in order to directly integrate a Linux system with AD is to use the realmd service. Because it allows callers to configure network authentication and domain membership in a standard way. The realmd service automatically discovers information about accessible domains and realms and does not require advanced configuration to join a domain or realm.

The realmd system provides a clear and simple way to discover and join identity domains. It does not connect to the domain itself but configures underlying Linux system services, such as SSSD or Winbind, to connect to the domain.

Realmd Pam SSSD

Please read through this Windows integration guide from Red Hat if you want more information. This extensive guide contains a lot of useful information about more complex situations.

Realmd / SSSD Use Cases

How to join an Active Directory domain?

  1. First of all start you will need to install the required packages:
  2. Configure ntp to prevent time sync issues:
  3. Join the server to the domain:
  4. Also add the default domain suffix to the sssd configuration file:

    Add the following beneath [sssd]

  5. Finally move the computer object to an organizational unit in Active Directory.

How to leave an Active Directory domain?

I saw multiple times that although the computer object was created in Active Directory it was still not possible to login with an ad account. The solution was each time to remove the server from the domain and then just add it back.

How to permit only one Active Directory group to logon

As it can be very useful to only allow one Active Directory group. For example a group with Linux system administrators.

 How to give sudo permissions to an Active Directory group

Add

Or

Example sssd.conf Configuration

The following is an example sshd.conf configuration file. I’ve seen it happen once that somehow access_provider was set to ad. I haven’t got the chance to play with that setting, as simple worked almost every time for now.

Required security permissions in AD

A few months ago, we had a problem where some users were no longer able to authenticate. After an extended search we discovered the reason was a hardening change in permissions on some ou’s in our AD. My colleague Jenne and I discovered that the Linux server computer objects need minimal permissions on the ou which contains the users that want to authenticate on your Linux servers. After testing almost all obvious permissions, we came to the conclusions that the computer objects need “Read remote access information”!

sssd-permissions-ras

How to debug SSSD and realmd?

The logfile which contains information about successful or failed login attempts is /var/log/secure. It contains information related to authentication and authorization privileges. For example, sshd logs all the messages there, including unsuccessful login. Be sure to check that logfile if you experience problems logging in with an Active Directory user. 

How to clear the SSSD cache?

As suggested by AP in the comments, you can manage your cache with the sss_cache command.  It can be used to clear the cache and update all records:

The sss_cache command can also clear all cached entries for a particular domain:
If the administrator knows that a specific record (user, group, or netgroup) has been updated, then sss_cachecan purge the records for that specific account and leave the rest of the cache intact:

Please refer to the official documentation for more information.

In case the above doesn’t help, you can also remove the cache ‘hte hard way’:

Just wanted to add this command which also helped me in one case somehow. 

Final Words

I hope this guide helps people towards a better Windows Linux integration. Let me know if you think there is a better way to do the above or if you have some useful information you think I should add to this guide.

Greetings.

Willem

Willem D'Haese
Expert Monitoring at Digipolis
Expert Monitoring with a demonstrated history of working in the information technology and services industry. Strong ICT skills such as monitoring, virtualization, automation.

38 Comments

  1. Hi,

    It’s a very helpful instruction. I was able to join or leave domain with what you mentioned earlier. But experiencing some difficulties with the user identification. After joining the domain successfully, I was trying to use the command “id” to identify the domain users but failed. And of course, it won’t let me to “ssh” into the system against the AD accounts. Please help!

    BTW, the Linux can ping / find DC and I have tried to disable the firewalld on the linux to ensure there is no blocking issue from the linux end. Thanks,

    # id domainuser@domain
    id: domainuser@domain: no such user

    1. Hey Gary,

      I’m not really sure how I can help you. What happens if you execute ‘realm list’? The procedure listed above worker for me many times. I suggest you open a post on the CentOS forums. Let me know how it worked out for you and if I need to add some stuff to my documentation!

      1. Hi, Willemdh

        Thanks for the quick reply. After joining the domain (mydomain.com) successfully, the output for realm will be as the follows. Even though, I still could not “id domainuser@mydomain.com“…..

        [tigeruser@shell etc]# sudo realm list
        mydomain.com
        type: kerberos
        realm-name: MYDOMAIN.COM
        domain-name: mydomain.com
        configured: kerberos-member
        server-software: active-directory
        client-software: sssd
        required-package: oddjob
        required-package: oddjob-mkhomedir
        required-package: sssd
        required-package: adcli
        required-package: samba-common
        login-formats: %U@mydomain.com
        login-policy: allow-realm-logins

    2. Gary,

      Are you sill experiencing this issue? Can you compare your sssd.conf with the one I added to the blog post as example?

      Willem

  2. @Gary Chang
    I would check the /etc/krb5.conf
    look for the make sure the following are in there.
    restart sssd. if that doesnt work reboot.
    Also install kinit and try kinit username

    default_realm = domain.com

    [realms]
    DOMAIN.COM = {
    kdc = dc.domain.com
    admin_server = dc.domain.com
    }

    Another thing is in your /etc/sssd/sssd.conf
    do you have use_fully_qualified_names set as True or False?

  3. Excellent write-up! Very helpful and even more importantly; concise.

    Small note:

    For adding an AD group to sudoers, instead of “%adgroup@domain ALL=(ALL) ALL”, one could also use “%domain\\adgroup ALL=(ALL) ALL”

  4. Has anyone gotten this to work on Ubuntu (more specifically 16.04)? I’m trying to figure out how to do the closest config between Centos 7 and Ubuntu 16.04 so I can standardize my instruction sets for other staff.

    1. I’m not using Ubuntu. Feel free to notify me with the necessary Ubuntu commands and I’ll see if I can add it to the blog post. Tx

  5. Hi,
    Very nice tutorial !
    I’m using CentOS7 and I noticed that even if
    ldap_id_mapping = True
    is set my uid/gid are not retrieved from AD
    I get numbers like 677272815 instead of the 10XXX I set on AD accounts.
    BTW do you a way to automatically increment these ids ?
    Thank you again

    1. Chris,
      Microsoft has deprecated the Identity Management for UNIX extension to Active Directory which was used to be used to manage POSIX attributes in the AD for use by UNIX clients. SSSD now performs this role, mapping Windows user and group ids to UNIX. POSIX attributes will no longer be required in AD, and the automatic id mapping is not compatible with the old POSIX attributes ie, once you enable automatic id mapping, existing POSIX attributes are ignored. Group memberships may need to be fixed if POSIX group memberships don’t match the Windows group memberships. Windows group memberships will be used with id mapping). Additionally, all uid numbers will be changed when automatic id mapping is enabled on a host.

  6. This just plain does not work for me 🙂

    getent passwd is working and all users are listed, but, there is no way to make ‘ su – ‘ or ‘ssh mydomainuser@host’ work. Did you run in to this issue at all ?

  7. There appears to be a re-occurrence of an old bug in the most recent version of realmd that requires samba-common-tools to be installed as well as it appears that it is not installed with samba-common as a dependency. I used the posted process multiple times throughout 2016 but as of today it does not work on CentOS7 unless samba-common-tools is also installed.

    I referenced a bugzilla thread here for RedHat which I never encountered before on CentOS7;

    https://bugzilla.redhat.com/show_bug.cgi?id=1274251

    1. Zman, thanks for letting us know. I just checked and samba-common-tools seems to be installed on my systems, so never had this problem. I’ll add it to the post. Thanks.

  8. Great tuto!
    Is there a config example to limit access from “all” ad/ldap users to special usergroup and without sudo rights like normal domain user?

      1. The syntac what i looking for was
        realm permit -g activedirectorygroup@domain

        Thank you very much!

  9. I can’t install realms on centos7 it says no package available even though I have the latest spell release. which repo I need for realms ?

  10. Hello Willem,

    Great Tutorial! Really appreciate it .

    I have a question regarding the offline authentication that sssd supports. I have set the option cache_credentials to true in sssd.conf, but wanted to see if this option works in real time scenario where the remote identification server is offline or down. Kindly let me know your thoughts on how to test this feature.

    Thanks
    Hemanth

  11. Nice tutorial!

    Seeking help to make it work with samba. Added samba install in yum command. I’m used to do config with winbind (though it is often a fight to make all working!), So i don’t know how to config smb.conf in respect of SSSD. I like the fact the SSSD can cache credentials, a very good thing when DCs are accessible through WAN.

    So for now, i can ssh to the CentOS 7.3.1611 server with AD user credentials. The user@domain directory is created under /home/ (oddjob-mkhomedir failed me many times on the past!!! Always a nightmare to config and a moving target!). So the problem now is to populate correctly /etc/samba/smb.conf and have ACL working right using AD creds.

    Somebody did it? Many thanks in advance!

    GB

  12. Great tutorial, I have only a problem with allow one Active Directory group ( realm permit -g activedirectorygroup@domain) ; I can not login with ssh, /var/log/secure contains this error:

    May 5 10:00:44 ohpc1 sshd[10769]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=11.116.12.32 user=my.name
    May 5 10:01:44 ohpc1 sshd[10769]: Failed password for my.name from 11.116.12.32 port 51438 ssh2
    May 5 10:01:44 ohpc1 sshd[10769]: fatal: Access denied for user my.name by PAM account configuration [preauth]

    1. The problem is that groups enumeration is too slow, solved with ignore_group_members = True in sssd.conf.

  13. I joined properly to the domain. Login working with ad user, home direcotry auto created etc..:

    Now i wanted to limit who can use sudo.
    I tried your method and was not working:
    Domain: test.local
    Group: testgroup

    %testgroup@test.local ALL=(ALL) ALL
    %testgroup@test ALL=(ALL) ALL
    %test\\testgroup ALL=(ALL) ALL
    %domain\\testgroup ALL=(ALL) ALL

    Please NOTE!
    I also use ldap_id_mapping=False in sssd.conf
    (it means no auto ID mapping applied)

    I tried the sudo with one of the testgroup member but it was NOT working. 🙁

    testgroup has manual ID unix attribute also as the user has it.
    User is member of the testgroup also in the member tab and also in the unix attribute tab in the AD testgroup properties.

    However the client linux tells users is not allowed to use sudoers.

    What can be wrong?

    1. No idea, I can only say that %adgroup@domain ALL=(ALL) ALL works for giving sudo permissions to my adgroup for all the CentOS servers I joined to the domain over the last 3 years… Did you check /var/log/secure ? Did you try clearing the cache?

  14. Thanks for the instructions.
    How can we restrict user name to short name (user) instead of (user@domain ) ? I tried use_fully_qualified_names = False but then it would not start sssd service.

    Have you tried it?

    Thanks
    Kamlesh

    1. Hey Kamlesh,

      No I didn’t try it, as I had no need for it. Glad you like the instructions. If you ever find out how to do it, let me know how and I’ll add it to the instructions.

      Grtz

      Willem

    2. Hello Kamlesh, I had the same issue.

      The detail event message stated that the directory was not found.
      I found out that the issue is solved by leaving out the statement:

      [sssd]
      # default_domain_suffix = addomain
      [domain/addomain]
      # use_fully_qualified_names = True
      use_fully_qualified_names = False

      It worked in my case

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">