Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sinot2017-09-26 11:46:23
linux
Sinot, 2017-09-26 11:46:23

How to setup sssd for AD in Debian 9?

Greetings!
Decided to try to enter the PC into the domain by means of relamd. I installed realmd and packagekit myself. Time synchronized with the domain controller. Entered into the domain with the command:

realm join --user=vt4 crb.local

Everything went without errors. I also added to the end of the /etc/pam.d/common-session file (the first two separators are tabs):
session required pam_mkhomedir.so skel=/etc/skel umask=0077

And in /etc/sssd/sssd.conf added to the sssd section:
default_domain_suffix = crb.local

Final sssd.conf
[sssd]
domains = crb.local
config_file_version = 2
services = nss, pam
default_domain_suffix = crb.local
[domain/crb.local]
ad_domain = crb.local
krb5_realm = CRB.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%[email protected]%d
access_provider = ad

getent passwd does not show domain users as it did when configuring winbind, but if you specify a user:
getent passwd vt4
[email protected]:*:542801353:542800513:Vladimir Sinotov:/home/[email protected]:/bin/bash

Same story with getent group. I will not give the output there are many users in groups.
id vt4
uid=542801353([email protected]) gid=542800513([email protected] users) groups=542800513([email protected] users),<...>

Also, all these commands work with the [email protected], [email protected], crb.local\\vt4, crb\\vt4 domain.
But it is not possible to enter the system under domain users. If you login via su as root:
[email protected]:/home/user# su vt4
su: System Error
(Ignored)
[email protected]@vt-linuxmail:/home/user$

Even a home directory is created.
From an unprivileged user:
[email protected]:~$ su vt4
Password:
su: System error
[email protected]:~$

It is also expected that you will not be able to log in via ssh.
/var/log/auth.log
#Попытка подключиться по ssh
Sep 26 08:53:08 vt-linuxmail sshd[458]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.14 user=vt4
Sep 26 08:53:08 vt-linuxmail sshd[458]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.14 user=vt4
Sep 26 08:53:12 vt-linuxmail sshd[458]: pam_sss(sshd:account): Access denied for user vt4: 4 (System error)
Sep 26 08:53:12 vt-linuxmail sshd[458]: Failed password for vt4 from 192.168.0.14 port 33596 ssh2
Sep 26 08:53:12 vt-linuxmail sshd[458]: fatal: Access denied for user vt4 by PAM account configuration [preauth]
#Попытка su vt4 от пользователя user
Sep 26 09:03:59 vt-linuxmail su[486]: pam_unix(su:auth): authentication failure; logname=user uid=1000 euid=0 tty=/dev/pts/1 ruser=user rhost= user=vt4
Sep 26 09:03:59 vt-linuxmail su[486]: pam_sss(su:auth): authentication success; logname=user uid=1000 euid=0 tty=/dev/pts/1 ruser=user rhost= user=vt4
Sep 26 09:04:03 vt-linuxmail su[486]: pam_sss(su:account): Access denied for user vt4: 4 (Системная ошибка)
Sep 26 09:04:03 vt-linuxmail su[486]: pam_acct_mgmt: System error
Sep 26 09:04:03 vt-linuxmail su[486]: FAILED su for vt4 by user
Sep 26 09:04:03 vt-linuxmail su[486]: - /dev/pts/1 user:vt4

I have no idea what to do.
Thank you.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
C
CityCat4, 2017-09-26
@Sinot

I can give a really valid, but slightly mutilated sssd.conf

[sssd]
config_file_version = 2
domains = domain.int
services = nss

[nss]
filter_users = root
shell_fallback = /sbin/nologin
fallback_homedir = /usr/share/smbusers/%u
default_shell = /bin/sh

[domain/domain.int]
id_provider = ldap
auth_provider = ad
access_provider = ldap
selinux_provider = none

ldap_referrals = false

ldap_uri = ldap://dc1.domain.int/
ldap_backup_uri = ldap://dc3.domain.int/

ad_server = dc1.domain.int
ad_backup_server = dc3.domain.int

ldap_sasl_mech = GSSAPI

ldap_id_mapping = true
ldap_schema = ad
ldap_idmap_default_domain_sid = S-1-5-21-xxx... (много-цифр)
lookup_family_order = ipv4_only
case_sensitive = false

ldap_user_search_base = dc=domain,dc=int
ldap_group_search_base = dc=domain,dc=int

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

krb5_realm = DOMAIN.INT
krb5_canonicalize = false

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_principal = userPrincipalName
ldap_user_modify_timestamp = whenChanged
ldap_user_shadow_last_change = pwdLastSet
ldap_user_shadow_expire = accountExpires

ldap_group_object_class = group
ldap_group_name = cn

man sssd.conf, man sssd-ldap, man sssd-ad

Report
A
Alexey Maksimov, 2017-11-19
@A_Maksimov

Perhaps you will be helped by several articles with practical examples and recommendations from here

Similar questions
J
joha07382021-05-11 15:59:03
Is it possible to create an array from methods in Java? 3Reply
E
elementalist2021-06-02 17:15:04
2 subnets on Mikrotik - LAN and video surveillance. How to get access from LAN to the DVR? 3Reply
A
Anton Kurilov2017-08-08 15:38:07
How to move one flexbox? 3Reply
A
Andrew Lays2015-03-31 19:26:52
Adobe Flash Linux 64 bit? 2Reply
S
Serezha2015-04-01 16:44:00
How can you make an Internet traffic filtering system? 8Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question