{"id":87,"date":"2017-05-18T17:08:08","date_gmt":"2017-05-19T00:08:08","guid":{"rendered":"http:\/\/blogs.uw.edu\/ketcham\/?p=87"},"modified":"2018-03-15T10:43:47","modified_gmt":"2018-03-15T17:43:47","slug":"log-in-to-linux-with-uw-linux-directory-infrastructure-ldi","status":"publish","type":"post","link":"https:\/\/staff.washington.edu\/ketcham\/log-in-to-linux-with-uw-linux-directory-infrastructure-ldi\/","title":{"rendered":"Configure CentOS7 with SSSD and UW Linux Directory Infrastructure (LDI)"},"content":{"rendered":"

I describe here the setup of CentOS 7 with sssd for login with UW kerberos and LDI.<\/p>\n

First you must have your LDI OU created and set up your client cert <\/a><\/p>\n

The default installation of CentOS7 will incude the packages needed.<\/p>\n

Set selinux to ‘permissive’ until you get things working.\u00a0 After, you can deal with any selinux issues.<\/p>\n

Enable sssd and oddjobd so they will be started by systemd at boot time. Start oddjobd so that oddjobd_mkhomedir, invoked from pam, will create the home directory for non-local users upon first login.<\/p>\n

[root]#<\/span> systemctl enable sssd\r\n[root]#<\/span> systemctl enable oddjobd\r\n[root]#<\/span> systemctl start oddjobd<\/pre>\n
You will need to configure sssd before you can start it.<\/p>\n
Configure pam to use SSSD<\/h3>\n
\/etc\/pam.d\/system-auth-ac<\/a><\/p>\n
#%PAM-1.0\r\nauth required pam_env.so debug\r\nauth sufficient pam_unix.so nullok try_first_pass\r\nauth requisite pam_succeed_if.so uid >= 1000 debug\r\nauth sufficient pam_sss.so use_first_pass\r\nauth required pam_deny.so\r\n\r\naccount required pam_unix.so\r\naccount sufficient pam_localuser.so\r\naccount sufficient pam_succeed_if.so uid < 1000 quiet\r\naccount [default=bad success=ok user_unknown=ignore] pam_sss.so\r\naccount required pam_permit.so\r\n\r\npassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=\r\npassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok\r\npassword sufficient pam_sss.so use_authtok\r\npassword required pam_deny.so\r\n\r\nsession optional pam_keyinit.so revoke\r\nsession required pam_limits.so\r\n-session optional pam_systemd.so\r\n#to auto-create home dir requires oddjobd: 'systemctl enable oddjobd'\r\nsession optional pam_oddjob_mkhomedir.so umask=0077\r\nsession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid\r\nsession required pam_unix.so\r\nsession optional pam_sss.so<\/pre>\n
\/etc\/pam.d\/password-auth<\/a><\/p>\n
#%PAM-1.0 \r\n#\/etc\/pam.d\/password-auth is included by \/etc\/pam.d\/sshd, \/etc\/pam.d\/gdm-password, and others \r\nauth required pam_env.so \r\nauth sufficient pam_unix.so nullok try_first_pass \r\nauth requisite pam_succeed_if.so uid >= 1000 quiet_success \r\nauth sufficient pam_sss.so use_first_pass \r\nauth required pam_deny.so \r\n \r\naccount required pam_unix.so \r\naccount sufficient pam_localuser.so \r\naccount sufficient pam_succeed_if.so uid < 1000 quiet \r\naccount [default=bad success=ok user_unknown=ignore] pam_sss.so \r\naccount required pam_permit.so \r\n \r\npassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= \r\npassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok\r\npassword sufficient pam_sss.so use_authtok\r\npassword required pam_deny.so\r\n\r\nsession optional pam_keyinit.so revoke\r\nsession required pam_limits.so\r\n-session optional pam_systemd.so\r\nsession optional pam_oddjob_mkhomedir.so umask=0077\r\nsession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid\r\nsession required pam_unix.so\r\nsession optional pam_sss.so<\/pre>\n
Configure \/etc\/nsswitch.conf to use SSSD.<\/h3>\n
Check for these service settings in nsswitch.conf and add sss if it is not already set:<\/p>\n
passwd: files sss\r\nshadow: files sss\r\ngroup: files sss<\/pre>\n
Configure SSSD.<\/h3>\n
install your client cert and key in your local filesystem and also the UW CA cert<\/a>.\u00a0 Set the paths variables ldap_tls_* in sssd.conf to point to them.<\/p>\n
Edit sssd.conf to put your own OU in the ldap_*_base DNs<\/p>\n
\/etc\/sssd\/sssd.conf<\/a><\/p>\n
#Debug log level is set to maximum\r\n# Logs are in \/var\/log\/sssd\r\n[sssd]\r\ndebug_level = 0x0400\r\ndomains = netid.washington.edu\r\nservices = nss, pam\r\nconfig_file_version = 2\r\n\r\n[nss]\r\ndebug_level = 0x0400\r\nfilter_groups = root\r\nfilter_users = root\r\nreconnection_retries = 3\r\nentry_cache_timeout = 300\r\nentry_cache_nowait_percentage = 75\r\n\r\n[domain\/netid.washington.edu]\r\ndebug_level = 0x0400\r\n# enumeration will affect performance\r\n#  set true or false depending on the number of users in your LDI OU\r\nenumerate = true\r\nid_provider = ldap\r\n# set min_id to avoid clash between \r\n#   lowest possible uid from uwnetid domain\r\n#   and highest possible local account uid\r\nmin_id = 2001\r\n\r\n# Disable for debugging...might enable for production:\r\ncache_credentials = false\r\nentry_cache_timeout = 300\r\n\r\nldap_uri = ldap:\/\/ldi.s.uw.edu\r\nldap_id_use_start_tls = true\r\nldap_tls_reqcert = demand\r\n# These are the Redhat standard paths to cert and key directories<\/strong>\r\n#  Modify if your paths or file names are different<\/strong>\r\nldap_tls_cacert = \/etc\/pki\/tls\/certs\/ca-bundle.crt\r\nldap_tls_cert = \/etc\/pki\/tls\/certs\/ldi-client.crt\r\nldap_tls_key = \/etc\/pki\/tls\/private\/ldi-client.key\r\nldap_sasl_mech = EXTERNAL\r\n# Change 'chem<\/em>' to your own OU.<\/strong>\r\nldap_search_base = ou=chem<\/strong><\/em>,dc=ldi,dc=uw,dc=edu\r\nldap_user_search_base = ou=accounts,ou=chem<\/strong><\/em>,dc=ldi,dc=uw,dc=edu\r\nldap_group_search_base = ou=groups,ou=chem<\/strong><\/em>,dc=ldi,dc=uw,dc=edu\r\n\r\nuse_fully_qualified_names = false\r\nfallback_homedir = \/home\/%u\r\nshell_fallback = \/bin\/bash\r\n\r\nauth_provider = krb5\r\n# external krb5 configuration is not used, all configuration is here:\r\nkrb5_realm = NETID.WASHINGTON.EDU\r\nkrb5_server = netid.washington.edu\r\n\r\n# If you prefer instead to use kerberos settings from \/etc\/krb5.conf\r\n# then set:\r\n# krb5_use_kdcinfo = false\r\n\r\n# \/etc\/krb5.keytab is not used, unless you want to enable this:\r\n# krb5_validate = true\r\n<\/pre>\n
Start sssd and check status.<\/h3>\n
[root]#<\/span> systemctl start sssd<\/pre>\n
Wait a few seconds for startup then issue<\/p>\n
[root]#<\/span> systemctl status sssd<\/pre>\n
If status shows failed<\/strong>, examine your logs in \/var\/log\/sssd.<\/p>\n
If status is active (running)<\/strong>, then proceed to test login with your netid.<\/p>\n
[root]#<\/span> systemctl status sssd\r\n\u25cf sssd.service - System Security Services Daemon\r\n Loaded: loaded (\/usr\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: disabled)\r\n Drop-In: \/etc\/systemd\/system\/sssd.service.d\r\n \u2514\u2500journal.conf\r\n Active: active (running)<\/strong> since Thu 2017-05-18 13:09:24 PDT; 4h 40min ago\r\n Process: 468 ExecStart=\/usr\/sbin\/sssd -D -f (code=exited, status=0\/SUCCESS)\r\n Main PID: 501 (sssd)\r\n CGroup: \/system.slice\/sssd.service\r\n \u251c\u2500501 \/usr\/sbin\/sssd -D -f\r\n \u251c\u2500512 \/usr\/libexec\/sssd\/sssd_be --domain netid.washington.edu --uid 0 --gid 0 --de...\r\n \u251c\u2500562 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --debug-to-files\r\n \u2514\u2500563 \/usr\/libexec\/sssd\/sssd_pam --uid 0 --gid 0 --debug-to-files\r\n\r\nMay 18 13:09:21 lditest.chem.washington.edu systemd[1]: Starting System Security Services Da....\r\nMay 18 13:09:22 lditest.chem.washington.edu sssd[501]: Starting up\r\nMay 18 13:09:23 lditest.chem.washington.edu sssd[be[netid.washington.edu]][512]: Starting up\r\nMay 18 13:09:23 lditest.chem.washington.edu sssd[pam][563]: Starting up\r\nMay 18 13:09:23 lditest.chem.washington.edu sssd[nss][562]: Starting up\r\nMay 18 13:09:24 lditest.chem.washington.edu systemd[1]: Started System Security Services Daemon.\r\nHint: Some lines were ellipsized, use -l to show in full.<\/pre>\n
Test login with a NetID that you have synchronized to your LDI OU.<\/h3>\n
Test these three login modalities:<\/p>\n