I describe here the setup of CentOS 7 with sssd for login with UW kerberos and LDI.
First you must have your LDI OU created and set up your client cert
The default installation of CentOS7 will incude the packages needed.
Set selinux to ‘permissive’ until you get things working. After, you can deal with any selinux issues.
Enable sssd and oddjobd so they will be started by systemd at boot time. Start oddjobd so that oddjobd_mkhomedir, invoked from pam, will create the home directory for non-local users upon first login.
[root]# systemctl enable sssd [root]# systemctl enable oddjobd [root]# systemctl start oddjobd
You will need to configure sssd before you can start it.
Configure pam to use SSSD
#%PAM-1.0 auth required pam_env.so debug auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 debug auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so #to auto-create home dir requires oddjobd: 'systemctl enable oddjobd' session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
#%PAM-1.0 #/etc/pam.d/password-auth is included by /etc/pam.d/sshd, /etc/pam.d/gdm-password, and others auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Configure /etc/nsswitch.conf to use SSSD.
Check for these service settings in nsswitch.conf and add sss if it is not already set:
passwd: files sss shadow: files sss group: files sss
Configure SSSD.
install your client cert and key in your local filesystem and also the UW CA cert. Set the paths variables ldap_tls_* in sssd.conf to point to them.
Edit sssd.conf to put your own OU in the ldap_*_base DNs
#Debug log level is set to maximum # Logs are in /var/log/sssd [sssd] debug_level = 0x0400 domains = netid.washington.edu services = nss, pam config_file_version = 2 [nss] debug_level = 0x0400 filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [domain/netid.washington.edu] debug_level = 0x0400 # enumeration will affect performance # set true or false depending on the number of users in your LDI OU enumerate = true id_provider = ldap # set min_id to avoid clash between # lowest possible uid from uwnetid domain # and highest possible local account uid min_id = 2001 # Disable for debugging...might enable for production: cache_credentials = false entry_cache_timeout = 300 ldap_uri = ldap://ldi.s.uw.edu ldap_id_use_start_tls = true ldap_tls_reqcert = demand # These are the Redhat standard paths to cert and key directories # Modify if your paths or file names are different ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cert = /etc/pki/tls/certs/ldi-client.crt ldap_tls_key = /etc/pki/tls/private/ldi-client.key ldap_sasl_mech = EXTERNAL # Change 'chem' to your own OU. ldap_search_base = ou=chem,dc=ldi,dc=uw,dc=edu ldap_user_search_base = ou=accounts,ou=chem,dc=ldi,dc=uw,dc=edu ldap_group_search_base = ou=groups,ou=chem,dc=ldi,dc=uw,dc=edu use_fully_qualified_names = false fallback_homedir = /home/%u shell_fallback = /bin/bash auth_provider = krb5 # external krb5 configuration is not used, all configuration is here: krb5_realm = NETID.WASHINGTON.EDU krb5_server = netid.washington.edu # If you prefer instead to use kerberos settings from /etc/krb5.conf # then set: # krb5_use_kdcinfo = false # /etc/krb5.keytab is not used, unless you want to enable this: # krb5_validate = true
Start sssd and check status.
[root]# systemctl start sssd
Wait a few seconds for startup then issue
[root]# systemctl status sssd
If status shows failed, examine your logs in /var/log/sssd.
If status is active (running), then proceed to test login with your netid.
[root]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Thu 2017-05-18 13:09:24 PDT; 4h 40min ago
Process: 468 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 501 (sssd)
CGroup: /system.slice/sssd.service
├─501 /usr/sbin/sssd -D -f
├─512 /usr/libexec/sssd/sssd_be --domain netid.washington.edu --uid 0 --gid 0 --de...
├─562 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─563 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
May 18 13:09:21 lditest.chem.washington.edu systemd[1]: Starting System Security Services Da....
May 18 13:09:22 lditest.chem.washington.edu sssd[501]: Starting up
May 18 13:09:23 lditest.chem.washington.edu sssd[be[netid.washington.edu]][512]: Starting up
May 18 13:09:23 lditest.chem.washington.edu sssd[pam][563]: Starting up
May 18 13:09:23 lditest.chem.washington.edu sssd[nss][562]: Starting up
May 18 13:09:24 lditest.chem.washington.edu systemd[1]: Started System Security Services Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
Test login with a NetID that you have synchronized to your LDI OU.
Test these three login modalities:
- gdm (graphical login)
- local console (do ctrl-alt-f2 to get a text-console login prompt)
- ssh (remote login)
If login fails, examine your sssd logs and journalctl log.
Configure for production.
Once everything is working, you may want to remove debug logging from sssd.conf and from the pam files, and you may want to set selinux to ‘enforcing’.
Also configure caching for performance. (I usually disable caching for debugging because it tends to confuse.)
Restart services, or reboot.
Notes on UW CA Installation
Get the UW Services CA cert here.
Per Redhat convention, install UW CA pem in /etc/pki/ca-trust/source/anchors:
[root]# cp UWServicesCA.pem /etc/pki/ca-trust/source/anchors [root]# update-ca-trust extract
Richard –
this is really great – thanks for making sure it all worked and posting a very nice configuration set!
-Matt