Linux Integration with the UWWI Microsoft Active Directory using CentOS7 with SSSD

I have configured CentOS 7 linux with sssd ("Redhat System Security Services Daemon") to participate in the UWWI, that is, the UW NetID Microsoft Active Directory.

With this linux host joined to the UWWI Windows domain, any user with a UW NetID can log in with his netid and password, with no prior user specific local configuration. A home directory is auto-created for the user upon first login, and the user's UW U-Drive is auto-mounted under his home directory at each login and unmounted at log out.

SSSd should also support AD Group-Policy access control, but so far I have not been able to make this work within the UWWI domain.

This document describes the steps to install and configure a CentOS or Redhat linux system to join to the UW netid AD domain.

  1. Obtain a UWWI delegated OU (Organizational Unit).

    1. Request an OU
    2. Initially this will be needed to create a "Computer Object" in your OU for your linux box you will be joining to the UWWI AD.
    3. You might also need a static IP in DNS for you linux box as a prerequisite to create its AD computer object in your OU.

  2. Install CentOS 7

    Install the following additional repositories.

    1. https://dl.fedoraproject.org/pub/epel/7/x86_64/repoview/epel-release.html
    2. http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

  3. Add the following additional rpms to the default installation:

    krb5-workstation
sssd
sssd-common
sssd-client
sssd-tools
sssd-ldap
sssd-krb5-common
sssd-krb5
sssd-common-pac
sssd-ad
adcli
realmd
python-sssdconfig
libsss_idmap
sssd-libwbclientadcli
libsss_nss_idmap
pam_pkcs11
oddjob
oddjob-mkhomedir
    These should be found in the CentOS base repository.

  4. Add these rpms from epel repo

    pam_ssh
python-pip
pamtester
sssd-dbus

  5. Add these rpms from nux-dextop

    pam_mount
hxtools
python3-pip

  6. After booting CentOS 7, edit these configuration files:

    
	|-- etc
	| | |-- krb5.conf
	| |-- openldap
	| | |-- cacerts
	| | | `-- UWServicesCA.cacert
	| | `-- ldap.conf
	| |-- pam.d
	| | |-- gdm-password
	| | |-- password-auth-ac
	| | `-- system-auth-ac
	| |-- security
	| | `-- pam_mount.conf.xml
	| |-- skel
	| | `-- udrive
	| |-- sssd
	| | |-- sssd.conf

    Click on bulleted items below to view/copy the contents of the configuration files

    Note that these configs are set for maximally verbose debug logging.

  7. SSSD configuration

  8. Kerberos configuration

  9. LDAP configuration

  10. PAM configuration

  11. After you have edited your config files, proceed to join the netid.washington.edu domain. Be sure that you have first created a computer object in your OU* . Then issue these commands on your linux box:

    adcli join -U sadm_ketcham netid.washington.edu
systemctl enable sssd
systemctl start sssd
     You will be using your admin netid and password you received when you got your OU (mine is sadm_ketcham). Successfully joining the MS domain results in the creation of the /etc/krb5.keytab file.

  12. Test by logging in with a UW NetID and password. You should find your UW “Udrive” mounted as ~/udrive.
* You may also join the UWWI with the format: 
adcli join \
-U sadm_myAdminAcct \
-N myComputerName \
-O OU=myOuName,OU=Delegated,DC=netid,DC=washington,DC=edu \
netid.washington.edu
 specifing your OU and computer name from the client side. In this way you avoid the need to pre-create your computer object in your OU. (Thanks to Bill Somsky for pointing this out.)