home dir and shell for Active Directory authenticated users
Solution 1
This issue was solved by moving the entries
override_homedir = /home/%u
default_shell = /bin/bash
from the [sssd] section of sssd.conf to [domain/lab.local]
Solution 2
There are two parts of the equation. One is in SSSD and the Name Service Switch interface in particular. That part reports what the home directory is on the system and you can test it with "getent passwd $username". As long as that command gives you accurate answers, then SSSD is working as it should.
The other part is creating the home directories actually. I would recommend to use oddjob and pam_oddjob_mkhomedir there over old pam_mkhomedir. In my experience, it plays better with SELinux.
Look into /var/log/secure for error messages from the PAM modules..
Solution 3
Please see this post first: Common wisdom about Active Directory authentication for Linux Servers?
For RHEL/CentOS 6.x systems, I do:
- Authconfig with the right initial SSSD settings.
- Modify sssd.conf to taste.
- Modify and configure oddjobd.
For authconfig, something like:
authconfig --enablesssd --ldapserver=ldap://dc1.ad.blahblah.com --ldapbasedn="dc=ad,dc=blahblah,dc=com" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.ad.blahblah.com --krb5realm=AD.BLAHBLAH.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall
My simple sssd.conf would look like this: http://pastebin.com/Aa2XsYhh - Restart the sssd service after modifying the configuration.
I then install oddjob-mkhomedir with:
yum install oddjob-mkhomedir
- You can tune home directory permissions to taste in/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf
Make sure the sssd and oddjob services are set to start on boot.
That should be all that's needed.
Related videos on Youtube
grahamjgreen
Updated on September 18, 2022Comments
-
grahamjgreen over 1 year
I have successfully configured sssd and can ssh into a system with AD credentials what I am missing is the creation of a home directory and bash set as the shell.
My assumption is that if I log on to a system that does not already have a local linux account but which does have a valid AD account that a home directory is created the first time that user logs in and the appropriate shells is set as defined in
/etc/sssd/sssd.conf
:override_homedir = /home/%u default_shell = /bin/bash
I have also run
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
What am I missing or am I making an incorrect assumption about my existing configuration?
I want to avoid using the deprecated Identity Management for Unix feature of Windows.
-
ewwhite about 9 yearsWhat operating system distribution and version?
-
grahamjgreen about 9 yearsI am using CentOS 6.6 and Windows Server 2008 R2
-
junior ruby developer over 3 yearsTo configure Identity Management systems, Red Hat recommends using the ipa-client-install utility or the realmd system instead of authconfig. The authconfig utilities are limited and substantially less flexible. For more information, see Section 2.1, “Identity Management Tools for System Authentication”.
-
-
jhrozek about 9 yearsThe config is OK-ish if for whatever reason you can't use GSSAPI, but it definitely should not be suggested as a default! The default configs these days should use GSSAPI for authentication, see the sssd upstream guide - fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
-
jhrozek about 9 yearsAh, that's expected, then. We really should implement the config validator one of these days. The override_homedir and default_shell options are in effect only in the [nss] and [domain] sections, with domain taking precedence of nss options.