Windows Active Directory Authentication with LDAP and automatic home directory creation

Gabriel A. Devenyi edited this page Jun 27, 2014 · 1 revision

On Frontend

  • Add all OS rolls (needed to satisfy dependencies)
  • Add update roll (just in case)
  • Rebuild rocks distro (this is what creates the local rpm database)
cd /export/rocks/install
rocks create distro
  • yum install sssd (now we can install the login stuff)
  • Use /etc/sssd/sssd.conf file (example below) already prepared (configured to properly talk to AD via LDAP)
    [domain/default]
    cache_credentials = false

    [sssd]
    config_file_version = 2
    reconnection_retries = 3
    sbus_timeout = 30
    services = nss, pam
    domains = mydomain

    [nss]
    reconnection_retries = 3

    [pam]
    reconnection_retries = 3

    # Local LAN AD
    [domain/mydomain]
    debug_level = 9
    description = AD DC
    enumerate = false
    min_id = 1000
    id_provider = ldap
    auth_provider = krb5
    chpass_provider = krb5

    ldap_uri = ldap://myserver.mydomain.tld

    min_id = 1
    ldap_search_base = dc=mydomain #search base as per your ldap
    ldap_default_bind_dn = ldapuser@mydomain.tld
    ldap_default_authtok_type = password
    ldap_default_authtok = my_ldap_password
    ldap_user_search_base = OU=Users #Where users are located in your LDAP
    ldap_user_object_class = user
    ldap_user_name = sAMAccountName
    ldap_user_uid_number = uidNumber
    ldap_user_gid_number = gidNumber
    ldap_group_object_class = group
    fallback_homedir = /home/%u
    override_shell = /bin/bash

    krb5_server = AD-server.domain.tld
    krb5_realm = mydomain
  • authconfig --enablesssd --enablesssdauth --updateall (turns on sssd authentication)
  • Add to /etc/auto.home * lvsrouter.local:/export/home/& (this short-circuits the rocks sync users which would normally share home directories)
  • Add /etc/sssd/sssd.conf to 411 Files.mk
  • Rebuild 411 with make -C /var/411 force (needed to include auto.home and sssd.conf)
  • Add pam_exec line “session required pam_exec.so /etc/security/fix-homedir.sh”
#!/bin/bash

PATH=/bin:/usr/bin:/sbin

if [ ! $PAM_USER == "root" ]
then
	if [ ! -d /export/home/$PAM_USER ];
	then
		cp -r /etc/skel /export/home/$PAM_USER
		chown -R $PAM_USER:`id -gn $PAM_USER` /export/home/$PAM_USER
		/etc/init.d/autofs reload
		rocks sync users
		exit 1 #Reject user on first login so that their homedir gets created
	fi
fi
exit 0
  • Produce extend-compute.xml using postinstall scripts with:
    • yum install sssd (we do it this way rather than including the rpms because there’s a bunch of dependencies)
    • authconfig --enablesssd --enablesssdauth --updateall (turn on sssd)
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.