This package implements authentication and user management layers. Supported authentication providers are:
- OpenLDAP with POSIX attributes
- Samba or Windows Active Directory
It includes the following parts:
- SSSD configuration
- events for users and groups management
- web interface for user management
- password policy management
- system validators for users and groups
- SSSD perl library to ease the implementation of e-smith templates
The implementation can work in two modes:
- read-and-write: if nethserver-dc or nethserver-directory are installed, the system will provide all user management features like creation, modification and deletion of users and groups
- read-only: if users and groups are read from a remote source, the system will be able to consume them only using passwd database
sssd=service
AdDns=192.168.1.12
BindDN=ldapservice@AD.EXAMPLE.COM
BindPassword=cjnsdkuyf8934tjhvsdkljcvsdv
LdapURI=
Provider=ad
Realm=AD.EXAMPLE.COM
Workgroup=EXAMPLE
DiscoverDcType=dns
ShellOverrideStatus=disabled
status=enabled
AdDns: IP address of the Active Directory DNS serverLdapURI: LDAP server URI (useldap://orldaps://scheme)DiscoverDcType {dns,ldapuri}:dnsquery SRV records in AD DNS to find the DC name;ldapuriretrieve the DC name from theLdapURIprop valueShellOverrideStatus(defaultdisabled) Ifenabled, the value of the passwd user's shell field- is set to
/bin/bashand is no more read from the accounts provider. The eventnethserver-sssd-savewill expand and restart all services which use this property
When the system is configured to use an Active Directory provider (Provider=ad),
make sure to correctly set both Realm and Workgroup properties:
- Realm: this is the Kerberos realm and it's case sensitive, but it's usually configured in upper case as best practice. When the realm is used for DNS queries, it's automatically forced to lower case.
- Workgroup: Samba NetBIOS name, maximum length is 15 characters. It's usually the first part of the Realm in upper case
Defined events are:
The event creates the user record inside the account provider database.
Parameters:
- username: must be unique
- name: full name of the user
- shell: default to /usr/libexec/openssh/sftp-server, if set to /bin/bash the user will be able to access the server using SSH
The event changes the full name inside the account provider databases
Parameters:
- username
- name: full name of the user
- shell: default to /usr/libexec/openssh/sftp-server, if set to /bin/bash the user will be able to access the server using SSH
Note: shell option can't be changed for AD users
The event deletes the user and remove it from all groups.
Parameters:
- username
This event deletes all data (home directory) and the emails of the user (given as parameter) if the email server is installed. This event is bind to the event user-delete. Every application which needs to remove the data of a user, must use this event to trigger a specific action, made to remove the data.
Parameters:
- username
The event locks the user preventing the access. All new users are in locked state.
Parameters:
- username
The event unlocks the user preventing the access. This event should be called after the invoking password-modify event for the user.
Parameters:
- username
The event creates the group record inside the account provider database.
Parameters:
- groupname: must be unique
- members: a list of users member of this group
The event changes the members of a group inside the account provider database.
Parameters:
- groupname: must be unique
- members: a list of users member of this group
This event deletes a group record from the the account provider database.
Parameters:
- groupname
This event configures password expiration of a single user or of all users.
Parameters
username (optional)
passexpires: it can be yes or no. If user is set and value is yes, the user password will expires after a predefined number of days (see passwordstrength{MaxPassAge})
The duration of a password can be passwordstrength{MaxPassAge}
This event removes any installed local account provider and also wipes the configuration of any remote account provider.
Before resetting the configuration, all accounts are dumped inside the following files in tsv format:
- /var/lib/nethserver/backup/users.tsv
- /var/lib/nethserver/backup/accounts.tsv
SSSD can access all users and groups from an account provider, but the Server Manager hides system users and groups.
The following users will not be accessible from the Server Manager:
- all users listed inside /etc/nethserver/system-users
- all users in /etc/passwd
The following groups will not be accessible from the web interface:
- all groups listed inside /etc/nethserver/system-groups
- all groups in /etc/group
The users and groups lists are retrieved by the following UI helpers:
/usr/libexec/nethserver/list-users/usr/libexec/nethserver/list-groups
The number of entries returned by the server is limited. For instance, AD has a 1000 entries search results cap.
To retrieve the members of a group and the membership of a specific user:
/usr/libexec/nethserver/list-group-members/usr/libexec/nethserver/list-user-membership
The Dashboard account counters are provided by:
/usr/libexec/nethserver/count-accounts
All those helpers support the -A flag, to include hidden entries,
and the -s flag to return entries without @domain suffix.
The Samba net ads search -k command can run an LDAP search against the AD
LDAP servers. The command requires a valid Kerberos ticket and a configured
environment variable, KRB5CCNAME, pointing to it.
The krb5exec command can set up the Kerberos ticket by authenticating with
the machine credentials, providing the same environment where the UI helpers
run, as explained in the previous section.
Putting the two commands together, the following command retrieves the admin
account record from AD LDAP.
krb5exec net ads search -k sAMAccountName=admin
The same command with ldapsearch
krb5exec ldapsearch -Y GSSAPI -b <BIND_PATH> -h <LDAP_SERVER_NAME> sAMAccountName=admin
Replace <BIND_PATH> and <LDAP_SERVER_NAME> with values provided by
net ads info
NethServer::SSSD is the Perl library module to retrieve current LDAP configuration. It supports both Active Directory and OpenLDAP providers.
Template example:
{
use NethServer::SSSD;
my $sssd = NethServer::SSSD->new();
$OUT .= "{ldap_uri, [".$sssd->ldapURI()."]}\n";
if ($sssd->isAD()) {
$OUT .= "{ldap_uids, [\"sAMAccountName\"]}.\n";
}
}
All functions are documented using perldoc
perldoc NethServer::SSSD
This command prints out the current settings, by querying NethServer::SSSD
methods. It requires the package openldap-clients
/usr/sbin/account-provider-test dump
Check the bind credentials are OK
/usr/sbin/account-provider-test
The Active Directory join operation is run by realmd. After the AD has been joined sucessfully the system keytab file is initialized as long as individual service keytabs, as defined on the respective service record (see `Service configuration hooks`_).
To leave a remote AD go to the :guilabel:`Accounts provider` page.
For local AD provider, this is the manual leave procedure
realm leave realm leave # two times
If the machine password or system keytab get corrupted, joining again the DC can fix them:
realm join -U admin $(config getprop sssd Realm)
...at prompt, type the admin's password, then:
signal-event nethserver-sssd-save
If you leave and do not want to re-join, disable the sssd service permanently:
config setprop sssd status disabled Provider none signal-event nethserver-sssd-save signal-event nethserver-sssd-leave signal-event nethserver-dnsmasq-save
Once we are bound to an account provider the FQDN cannot be changed any more. However, this procedure can be useful in early server configuration to fix a wrong FQDN. Please note that any existing account setting must be fixed manually. The procedure to do it is currently undefined.
For local account providers:
- Execute the leave procedure explained above
- Go to page :guilabel:`System name` and change the domain suffix in the FQDN field.
- Re-join as explained above
For remote account providers the procedure is similar. Use the :guilabel:`Accounts provider` page to leave/join the domain.
A service (i.e. dovecot, squid) record in the configuration DB can be extended with
the following special props, that are read by smbads to create a Kerberos keytab file
for the service
dovecot=service ... KrbStatus=enabled KrbKeytabPath=/var/lib/dovecot/krb5.keytab KrbPrimaryList=smtp,imap,pop KrbKeytabOwner= KrbKeytabPerms=
KrbStatus {enabled,disabled}This is the main switch. If not set toenabled,smbadsignores the record when the service keytab is written.KrbKeytabPathKeytab file path. If empty,/var/lib/misc/nsrv-<service>.keytabis assumedKrbPrimaryList <comma separated words list>Defines the keytab contents. In Kerberos jargon a "primary" is the first part of the principal string, before the slash (/) character. Any primary in this list is exported to the keytab.KrbKeytabOwnerThe unix file owner. Default is theservicename. This is applied to both the credentials cache file and the keytab file.KrbKeytabPermsThe unix bit permissions in octal form. Default is0400. This is applied to both the credentials cache file and the keytab file.
The implementation is provided by /usr/libexec/nethserver/smbads.
Individual services can link themselves to nethserver-sssd-initkeytabs
action in the respective -update event.
It is up to the KDC administrator to configure the SPN in the KDC. For instance, with Active Directory run the following commands to add the SPNs for Dovecot:
kinit admin@$(config getprop sssd Realm) net ads setspn list net ads setspn add $(hostname -s) imap/$(hostname) net ads setspn add $(hostname -s) pop/$(hostname) net ads setspn add $(hostname -s) smtp/$(hostname) kdestroy signal-event nethserver-sssd-save
There are some perl scripts under the documentation scripts/ directory.
rpm -qd nethserver-sssd
It is possible to create user accounts from a TSV (Tab Separated Values) file with the following format:
username <TAB> fullName <TAB> password <NEWLINE>
Sample invocation:
import_users users.tsv
Alternative separator character:
import_users users.csv ','
It is possible to create groups from a TSV (Tab Separated Values) file with the following format:
groupname <TAB> member1 <TAB> ... <TAB> memberN <NEWLINE>
Sample invocation:
import_users groups.tsv
Alternative separator character:
import_groups groups.csv ','
It is possible to create mail aliases from a TSV (Tab Separated Values) file with the following format:
username <TAB> emailaddress <NEWLINE>
See import_users section for a sample script invocation.
The system can handle global or per-user policies. All policies are enforced by
PAM and saved under passwordstrength inside the configuration database.
Available properties are:
Users: change strength password for all users, can be:strong: (default) strong passwords must conform to cracklib checksnone: no strength check
PassExpires: can beyes(default) orno. If set tonopassword will not expire, if set toyes,following properties apply:
MaxPassAge: minimum number of days for which the user is forced to keep the same password (default 0)MinPassAge: maximum number of days for which the user can keep the same password (default: 180)PassWarning: a shell warning is displayed to the user X days before password expiration
Configuration can be applied using the :command:`password-policy-update` event.
DB example:
passwordstrength=configuration MaxPassAge=180 MinPassAge=0 PassExpires=no PassWarning=7 Users=none