Troubleshooting
1sudo realm list
2authselect current
3sssctl domain-list
4sssctl config-check
5getent -s files passwd
6getent -s sss passwd user
7getent passwd
8dig -t SRV _ldap._tcp.example.com
9sssctl user-checks toto -s sshd -a auth
SSSD process config to link to AD
Prerequisites :
- Need port 369 and 3268
for RHEL8 :
1dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat
2
3realm discover example.com
4realm join example.com -U svc-sssd --client-software=sssd --os-name=RedHat --os-version=8
5
6sudo authselect select sssd with-mkhomedir
7sudo systemctl enable --now oddjobd.service
- inside
/etc/sssd/sssd.conf
1[sssd]
2services = nss, pam, ssh, sudo
3domains = example.com
4config_file_version = 2
5default_domain_suffix = example.com
6
7[domain/example.com]
8default_shell = /bin/bash
9override_shell = /bin/bash
10
11ad_domain = example.com
12krb5_realm = example.com
13realmd_tags = manages-system joined-with-adcli
14cache_credentials = True
15id_provider = ad
16krb5_store_password_if_offline = True
17ldap_id_mapping = True
18ldap_user_objectsid = objectSid
19ldap_group_objectsid = objectSid
20ldap_user_primary_group = primaryGroupID
21
22use_fully_qualified_names = True
23fallback_homedir = /home/%u
24
25access_provider = ad
26ldap_access_order=filter,expire
27ldap_account_expire_policy = ad
28ad_access_filter = (memberOf=CN=INTERNAL Team,OU=team-platform,OU=test-groups,DC=example,DC=com)
29
30
31[nss]
32homedir_substring = /home
33
34[pam]
35pam_pwd_expiration_warning = 7
36pam_account_expired_message = Account expired, please contact AD administrator.
37pam_account_locked_message = Account locked, please contact AD administrator.
38pam_verbosity = 3
39
40[ssh]
41
42[sudo]
- Reload config:
1sss_cache -E; systemctl restart sssd ; sss_cache -E
2systemctl status sssd
- define sudoers rights
/etc/sudoers.d/admin:
1%EXAMPLE.COM\\internal\ team ALL=(ALL) ALL
- reload sudoers rights:
1realm permit -g 'internal team@example.com'
Comments