home dir and shell for Active Directory authenticated users

linux centos authentication sssd
38,803

Solution 1

This issue was solved by moving the entries

override_homedir = /home/%u
default_shell = /bin/bash

from the [sssd] section of sssd.conf to [domain/lab.local]

Solution 2

There are two parts of the equation. One is in SSSD and the Name Service Switch interface in particular. That part reports what the home directory is on the system and you can test it with "getent passwd $username". As long as that command gives you accurate answers, then SSSD is working as it should.

The other part is creating the home directories actually. I would recommend to use oddjob and pam_oddjob_mkhomedir there over old pam_mkhomedir. In my experience, it plays better with SELinux.

Look into /var/log/secure for error messages from the PAM modules..

Solution 3

Please see this post first: Common wisdom about Active Directory authentication for Linux Servers?

For RHEL/CentOS 6.x systems, I do:

  • Authconfig with the right initial SSSD settings.
  • Modify sssd.conf to taste.
  • Modify and configure oddjobd.

For authconfig, something like:

authconfig --enablesssd --ldapserver=ldap://dc1.ad.blahblah.com --ldapbasedn="dc=ad,dc=blahblah,dc=com" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.ad.blahblah.com --krb5realm=AD.BLAHBLAH.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall

  • My simple sssd.conf would look like this: http://pastebin.com/Aa2XsYhh - Restart the sssd service after modifying the configuration.

  • I then install oddjob-mkhomedir with: yum install oddjob-mkhomedir- You can tune home directory permissions to taste in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

  • Make sure the sssd and oddjob services are set to start on boot.

That should be all that's needed.

Share:
38,803

Related videos on Youtube

grahamjgreen
Author by

grahamjgreen

Updated on September 18, 2022

Comments

  • grahamjgreen
    grahamjgreen over 1 year

    I have successfully configured sssd and can ssh into a system with AD credentials what I am missing is the creation of a home directory and bash set as the shell.

    My assumption is that if I log on to a system that does not already have a local linux account but which does have a valid AD account that a home directory is created the first time that user logs in and the appropriate shells is set as defined in /etc/sssd/sssd.conf:

    override_homedir = /home/%u
default_shell = /bin/bash

    I have also run

    authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

    What am I missing or am I making an incorrect assumption about my existing configuration?

    I want to avoid using the deprecated Identity Management for Unix feature of Windows.

    • ewwhite
      ewwhite about 9 years
      What operating system distribution and version?
    • grahamjgreen
      grahamjgreen about 9 years
      I am using CentOS 6.6 and Windows Server 2008 R2
    • junior ruby developer
      junior ruby developer over 3 years
      To configure Identity Management systems, Red Hat recommends using the ipa-client-install utility or the realmd system instead of authconfig. The authconfig utilities are limited and substantially less flexible. For more information, see Section 2.1, “Identity Management Tools for System Authentication”.
  • jhrozek
    jhrozek about 9 years
    The config is OK-ish if for whatever reason you can't use GSSAPI, but it definitely should not be suggested as a default! The default configs these days should use GSSAPI for authentication, see the sssd upstream guide - fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
  • jhrozek
    jhrozek about 9 years
    Ah, that's expected, then. We really should implement the config validator one of these days. The override_homedir and default_shell options are in effect only in the [nss] and [domain] sections, with domain taking precedence of nss options.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting Up a Keytab for a User Fails: "kinit: Password incorrect while getting initial credentials"
Linux SSSD with two AD Domains
Where do I specify the Bind DN and password for sss+ldap?
Allow domain group ssh access
pam_faillock and AD/CentOS 7.2
Force authentication to use sssd not nslcd
Script fails to run on login when using pam_exec.so to run a script as root
How to give permission to user after mounting a hard disk on Centos 7?
Virtual Interface Not Showing up in ifconfig?
How to install json extension for PHP 7 on CentOS?