I have configured CentOS 7 linux with sssd ("Redhat System Security Services Daemon") to participate in the UWWI, that is, the UW NetID Microsoft Active Directory.
With this linux host joined to the UWWI Windows domain, any user with a UW NetID can log in with his netid and password, with no prior user specific local configuration. A home directory is auto-created for the user upon first login, and the user's UW U-Drive is auto-mounted under his home directory at each login and unmounted at log out.
SSSd should also support AD Group-Policy access control, but so far I have not been able to make this work within the UWWI domain.
This document describes the steps to install and configure a CentOS or Redhat linux system to join to the UW netid AD domain.
Install the following additional repositories.
These should be found in the CentOS base repository.krb5-workstation sssd sssd-common sssd-client sssd-tools sssd-ldap sssd-krb5-common sssd-krb5 sssd-common-pac sssd-ad adcli realmd python-sssdconfig libsss_idmap sssd-libwbclientadcli libsss_nss_idmap pam_pkcs11 oddjob oddjob-mkhomedir
pam_ssh python-pip pamtester sssd-dbus
pam_mount hxtools python3-pip
|-- etc | | |-- krb5.conf | |-- openldap | | |-- cacerts | | | `-- UWServicesCA.cacert | | `-- ldap.conf | |-- pam.d | | |-- gdm-password | | |-- password-auth-ac | | `-- system-auth-ac | |-- security | | `-- pam_mount.conf.xml | |-- skel | | `-- udrive | |-- sssd | | |-- sssd.conf
Click on bulleted items below to view/copy the contents of the configuration files
Note that these configs are set for maximally verbose debug logging.
UWWI Specific Configuration! Pay particular notice to the settings following “ldap_id_mapping = true”I am using “Security ID Mapping”. (See Redhat:about-id-mapping). Windows SIDs are mapped to unix uids by a hashing algorithm that divides the address space into “slices” (man sssd_ad). The UWWI address space is too large for the default slice scheme. I have set the “ldap_id_mapping_...” parameters in my sssd.conf to allow for large address space.
I probably copied this from homer.
PAM is configured to auto-create a user's home directory upon his first netid login and to auto-mount the user's “udrive” at login time.
Create the directory /etc/skel/udrive, which will become the mount point for the user's udrive.
You will be using your admin netid and password you received when you got your OU (mine is sadm_ketcham). Successfully joining the MS domain results in the creation of the /etc/krb5.keytab file.adcli join -U sadm_ketcham netid.washington.edu systemctl enable sssd systemctl start sssd
specifing your OU and computer name from the client side. In this way you avoid the need to pre-create your computer object in your OU. (Thanks to Bill Somsky for pointing this out.)adcli join \ -U sadm_myAdminAcct \ -N myComputerName \ -O OU=myOuName,OU=Delegated,DC=netid,DC=washington,DC=edu \ netid.washington.edu