Zielstellung:
- Authentifizierung der Linux User–Anmeldung gegen ein Active Directory
- Authentifizierung der SSH Logins gegen ein Active Directory
- Absicherung mittels Kerberos Tickets
Voraussetzungen:
- eine aktuelle Debian (Testing/Bullseye) Umgebung
- ein funktionierendes (Samba) Active-Directory
- benötigt ein AD, siehe: Samba als Active Directory Domain Controller
- DNS und NTP Quelle sind der/die Domain Controller
- auf den Active-Directory CLIENT Systemen verwenden wir standardmäßig systemd-timesyncd
Überblick über die verwendeten Konfigurationen:
Realm: PLITC.INTERN Domain: PLITC IP-Adresse des Domain Controllers: 10.102.1.16 DNS Resolver: 10.102.1.16 NTP Server: 10.102.1.16 Samba-Administrator: Administrator
Vorbedingungen prüfen, ggf. umsetzen:
- HOSTS einstellen:
#
root@it-daniel:~# cat /etc/hosts
### ### ### PLITC ### ### ###
127.0.0.1 localhost
127.0.1.1 it-daniel.plitc.intern it-daniel
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.102.1.16 plitc0-dc1.plitc.intern plitc0-dc1
### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~#
#
2. DNS Resolver einstellen:
#
root@it-daniel:~# chattr -i /etc/resolv.conf
root@it-daniel:~# cat /etc/resolv.conf
### ### ### PLITC ### ### ###
search plitc.intern
nameserver 10.102.1.16 # plitc0-dc1 (first)
### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~# chattr +i /etc/resolv.conf
#
3. FQDN einstellen:
#
root@it-daniel:~# cat /etc/hostname
it-daniel.plitc.intern
root@it-daniel:~#
#
4. NTP Server einstellen:
#
root@it-daniel:~# tail -n 8 /etc/systemd/timesyncd.conf
[Time]
NTP=plitc0-dc1.plitc.intern
FallbackNTP=de.pool.ntp.org
#FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
root@it-daniel:~#
#
#
systemctl daemon-reload
systemctl restart systemd-timesyncd.service
systemctl status systemd-timesyncd.service
#
5. Time Sync Status:
#
root@it-daniel:~# timedatectl status
Local time: Di 2021-01-05 18:22:09 CET
Universal time: Di 2021-01-05 17:22:09 UTC
RTC time: Di 2021-01-05 17:22:09
Time zone: Europe/Berlin (CET, +0100)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
root@it-daniel:~#
root@it-daniel:~# timedatectl timesync-status
Server: 10.102.1.16 (plitc0-dc1.plitc.intern)
Poll interval: 8min 32s (min: 32s; max 34min 8s)
Leap: normal
Version: 4
Stratum: 2
Reference: 4F852C8D
Precision: 1us (-26)
Root distance: 2.601ms (max: 5s)
Offset: -1.304ms
Delay: 33.276ms
Jitter: 1.432ms
Packet count: 4
Frequency: +12,008ppm
root@it-daniel:~#
#
Installation / Konfiguration:
- Installation der Pakete:
#
apt-get install krb5-user libpam-krb5 realmd sssd sssd-tools adcli libnss-sss libpam-sss samba-common-bin
#
2. Kerberos Konfiguration:
#
root@it-daniel:~# cat /etc/krb5.conf
[libdefaults]
default_realm = PLITC.INTERN
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
PLITC.INTERN = {
kdc = plitc0-dc1.plitc.intern
# kdc = plitc0-dc2.plitc.intern
# kdc = plitc0-dc3.plitc.intern
default_domain = plitc.intern
admin_server = plitc0-dc1.plitc.intern
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.plitc.intern = PLITC.INTERN
plitc.intern = PLITC.INTERN
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = true
minimum_uid = 1
}
# EOF
root@it-daniel:~#
#
3. Initialisierung eines Kerberos Tickets eines Administrator Accounts:
#
root@it-daniel:~# kinit administrator@PLITC.INTERN
Passwort für administrator@PLITC.INTERN:
root@it-daniel:~#
root@it-daniel:~# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: administrator@PLITC.INTERN
Valid starting Expires Service principal
05.01.2021 18:50:28 06.01.2021 18:50:26 krbtgt/PLITC.INTERN@PLITC.INTERN
root@it-daniel:~#
#
4. SSHD um Kerberos Support (für SSHv2) erweitern, die folgenden Zeilen müssen ergänzt werden:
#
root@it-daniel:~# tail -n 9 /etc/ssh/sshd_config
#// Kerberos for SSHv2
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~#
root@it-daniel:~# systemctl restart sshd; systemctl status sshd
#
5. realmd Konfigurieren:
#
root@it-daniel:~# cat /etc/realmd.conf
[service]
automatic-install = no
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[plitc.intern]
computer-ou = CN=Computers,DC=plitc,DC=intern
automatic-id-mapping = yes
fully-qualified-names = no
root@it-daniel:~#
#
6. Den Linux CLIENT der Active-Directory Domain hinzufügen:
#
root@it-daniel:~# realm discover plitc.intern
plitc.intern
type: kerberos
realm-name: PLITC.INTERN
domain-name: plitc.intern
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
root@it-daniel:~#
#
#
root@it-daniel:~# realm join plitc.intern
root@it-daniel:~# echo $?
0
root@it-daniel:~#
#
Hilfreich beim Debugging ist:
#
root@it-daniel:~# tail -f /var/log/auth.log
#
Beispieloutput:
#
Jan 5 19:22:32 it-daniel realmd[17700]: packages: call Resolve (262144, ['sssd-tools', 'sssd', 'libnss-sss', 'libpam-sss', 'adcli'])
Jan 5 19:22:32 it-daniel realmd[17700]: packages: call Resolve completed
Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'adcli;0.9.0-1;amd64;installed:debian-testing-main', 'Tool for performing actions on an Active Directory domain')
Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'libnss-sss;2.4.0-1;amd64;installed:debian-testing-main', 'Nss library for the System Security Services Daemon')
Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'libpam-sss;2.4.0-1;amd64;installed:debian-testing-main', 'Pam module for the System Security Services Daemon')
Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'sssd;2.4.0-1;amd64;installed:debian-testing-main', 'System Security Services Daemon -- metapackage')
Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'sssd-tools;2.4.0-1;amd64;installed:debian-testing-main', 'System Security Services Daemon -- tools')
Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Finished (1, 229)
Jan 5 19:22:32 it-daniel realmd[17700]: * LANG=C /usr/sbin/adcli join --verbose --domain plitc.intern --domain-realm PLITC.INTERN --domain-controller 10.102.1.16 --computer-ou CN=Computers,DC=plitc,DC=intern --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-OBZKW0
Jan 5 19:22:32 it-daniel realmd[17700]: * LANG=C /usr/sbin/adcli join --verbose --domain plitc.intern --domain-realm PLITC.INTERN --domain-controller 10.102.1.16 --computer-ou CN=Computers,DC=plitc,DC=intern --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-OBZKW0
Jan 5 19:22:32 it-daniel realmd[17700]: process started: 17769
Jan 5 19:22:32 it-daniel realmd[17700]: packages: freeing transtaction
Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain name: plitc.intern
Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain name: plitc.intern
Jan 5 19:22:32 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL
Jan 5 19:22:32 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL
Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain realm: plitc.intern
Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain realm: plitc.intern
Jan 5 19:22:32 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16
Jan 5 19:22:32 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16
Jan 5 19:22:33 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PPbJnQ/krb5.d/adcli-krb5-conf-ETPjVM
Jan 5 19:22:33 it-daniel realmd[17700]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PPbJnQ/krb5.d/adcli-krb5-conf-ETPjVM
Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 1
Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 1
Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 1
Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 2
Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up short domain name: PLITC
Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up short domain name: PLITC
Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up domain SID: S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXXX
Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up domain SID: S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXXX
Jan 5 19:22:33 it-daniel realmd[17700]: * Using fully qualified name: it-daniel.plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Using fully qualified name: it-daniel.plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain name: plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain name: plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Using computer account name: IT-DANIEL
Jan 5 19:22:33 it-daniel realmd[17700]: * Using computer account name: IT-DANIEL
Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain realm: plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain realm: plitc.intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL
Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL
Jan 5 19:22:33 it-daniel realmd[17700]: * Generated 120 character computer password
Jan 5 19:22:33 it-daniel realmd[17700]: * Generated 120 character computer password
Jan 5 19:22:33 it-daniel realmd[17700]: * Using keytab: FILE:/etc/krb5.keytab
Jan 5 19:22:33 it-daniel realmd[17700]: * Using keytab: FILE:/etc/krb5.keytab
Jan 5 19:22:33 it-daniel realmd[17700]: * Computer account for IT-DANIEL$ does not exist
Jan 5 19:22:33 it-daniel realmd[17700]: * Computer account for IT-DANIEL$ does not exist
Jan 5 19:22:33 it-daniel realmd[17700]: * Well known computer container not found, but found suitable one at: CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Well known computer container not found, but found suitable one at: CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [3] not permitted.
Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [3] not permitted.
Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [1] not permitted.
Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [1] not permitted.
Jan 5 19:22:33 it-daniel realmd[17700]: * Created computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Created computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:33 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16
Jan 5 19:22:33 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16
Jan 5 19:22:34 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Set computer password
Jan 5 19:22:34 it-daniel realmd[17700]: * Set computer password
Jan 5 19:22:34 it-daniel realmd[17700]: * Retrieved kvno '2' for computer account in directory: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Retrieved kvno '2' for computer account in directory: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/IT-DANIEL
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/it-daniel.plitc.intern
Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/it-daniel.plitc.intern
Jan 5 19:22:35 it-daniel realmd[17700]: * Discovered which keytab salt to use
Jan 5 19:22:35 it-daniel realmd[17700]: * Discovered which keytab salt to use
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: IT-DANIEL$@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: IT-DANIEL$@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan 5 19:22:35 it-daniel realmd[17700]: process exited: 17769
Jan 5 19:22:35 it-daniel realmd[17700]: * /usr/sbin/update-rc.d sssd enable
Jan 5 19:22:35 it-daniel realmd[17700]: * /usr/sbin/update-rc.d sssd enable
Jan 5 19:22:35 it-daniel realmd[17700]: process started: 17797
Jan 5 19:22:36 it-daniel realmd[17700]: process exited: 17797
Jan 5 19:22:36 it-daniel realmd[17700]: * /usr/sbin/service sssd restart
Jan 5 19:22:36 it-daniel realmd[17700]: * /usr/sbin/service sssd restart
Jan 5 19:22:36 it-daniel realmd[17700]: process started: 17830
Jan 5 19:22:36 it-daniel realmd[17700]: process exited: 17830
Jan 5 19:22:36 it-daniel realmd[17700]: * Successfully enrolled machine in realm
Jan 5 19:22:36 it-daniel realmd[17700]: * Successfully enrolled machine in realm
Jan 5 19:22:36 it-daniel realmd[17700]: released daemon: current-invocation
Jan 5 19:22:36 it-daniel realmd[17700]: client gone away: :1.122
Jan 5 19:22:36 it-daniel realmd[17700]: released daemon: :1.122
Jan 5 19:23:36 it-daniel realmd[17700]: quitting realmd service after timeout
Jan 5 19:23:36 it-daniel realmd[17700]: stopping service
#
Beispielhaft eine Userauflösung:
#
root@it-daniel:~# getent passwd administrator
administrator:*:XXXXXXXXX:XXXXXXXXX:Administrator:/home/plitc.intern/administrator:/bin/bash
root@it-daniel:~#
root@it-daniel:~# getent group 'Domain Admins'
domain admins:*:XXXXXXXXX:administrator
root@it-daniel:~#
#
7. Zugriffskontrolle:
- Alle User: verbieten
- Erlaubt wird: Administrator
- Erlaubt wird: Domain Admins
#
realm deny --all
realm permit administrator
realm permit -g 'Domain Admins'
#
#
root@it-daniel:~# realm list
plitc.intern
type: kerberos
realm-name: PLITC.INTERN
domain-name: plitc.intern
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins: administrator
permitted-groups: Domain Admins
root@it-daniel:~#
#
8. für automatisiertes Erstellen der Home Verzeichnisse:
#
root@it-daniel:~# cat /etc/pam.d/common-session
### ### ### PLITC ### ### ###
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_sss.so
session optional pam_systemd.so
### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~#
#
Test des SSH Logons mittels Active-Directory Konto:
#
daniel@TEST-151:~$ ssh -q PLITC\\administrator@10.XXX.XXX.XXX
PLITC\administrator@10.XXX.XXX.XXX's password:
Last login: Tue Jan 5 20:15:39 2021 from 10.XXX.XXX.XXX
administrator@it-daniel:~$
administrator@it-daniel:~$ ls -all
insgesamt 16
drwxr-xr-x 1 administrator domain users 80 5. Jan 20:24 .
drwxr-xr-x 1 root root 26 5. Jan 20:15 ..
-rw------- 1 administrator domain users 33 5. Jan 20:24 .bash_history
-rw-r--r-- 1 administrator domain users 220 5. Jan 20:15 .bash_logout
-rw-r--r-- 1 administrator domain users 3526 5. Jan 20:15 .bashrc
-rw-r--r-- 1 administrator domain users 807 5. Jan 20:15 .profile
administrator@it-daniel:~$
#
9. unnötige Dienste deaktivieren:
#
systemctl stop sssd-nss.socket
systemctl disable sssd-nss.socket
systemctl stop sssd-pam-priv.socket
systemctl disable sssd-pam-priv.socket
systemctl stop sssd-pam.socket
systemctl disable sssd-pam.socket
#
Quellen:
- https://uit.stanford.edu/service/kerberos/install_debian
- https://www.pks.mpg.de/~mueller/docs/suse10.3/opensuse-manual_de/manual/sec.kerbadmin.sshd.html
- https://directory.apache.org/apacheds/kerberos-ug/4.1-authenticate-kinit.html
- https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch04s14.html
- https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectorySssd
- https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-de-4/s1-samba-servers.html
- https://www.elastic2ls.com/blog/linux-active-directory-authentication/
- http://manpages.ubuntu.com/manpages/bionic/man5/realmd.conf.5.html
Ergänzungen:
08.01.2021:
- Wenn alles richtig eingestellt wurde -> funktioniert auch ein Login mittels Display Manager (wie z.B. SLIM oder GDM3)
09.01.2021:
Für eine bessere Gesamtreaktionszeit des Systems -> sollte in der /etc/sssd/sssd.conf folgender Parameter (in dem nss Abschnitt) hinzugefügt werden:
#
memcache_timeout = 3600
#
Bei Laptops: (8 Stunden)
#
memcache_timeout = 28800
#
Je nach Bedarf auch: (24 Stunden)
#
memcache_timeout = 86400
#
Beispiel:
#
root@it-daniel:/etc/sssd# head -n 10 sssd.conf
[sssd]
domains = plitc.intern
config_file_version = 2
services = nss, pam
[nss]
memcache_timeout = 86400
[domain/plitc.intern]
... ... ...
root@it-daniel:/etc/sssd#
#
SSSD Service neustarten:
#
systemctl restart sssd.service; systemctl status sssd.service
#
09.01.2021:
SSSD Unterstützung für SUDO:
#
apt-get install libsss-sudo
#
nsswitch.conf anpassen:
#
root@it-daniel:~# tail -n 4 /etc/nsswitch.conf
sudoers: files sss
# EOF
root@it-daniel:~#
#
Active-Directory User der SUDO Gruppe hinzufügen:
#
root@it-daniel:~# usermod -a -G sudo daniel.plominski
#
09.01.2021:
SSH Login auf spezifische Active-Directory User beschränken:
#
root@it-daniel:~# grep "AllowUsers" /etc/ssh/sshd_config
AllowUsers administrator daniel.plominski
root@it-daniel:~#
#
22.01.2021:
Der sssd.service sollte erst nach der Netzwerkverbindung (After=network.target) gestartet werden!
#
root@it-daniel:/etc/systemd/system/multi-user.target.wants# cat sssd.service
[Unit]
Description=System Security Services Daemon
# SSSD must be running before we permit user sessions
Before=systemd-user-sessions.service nss-user-lookup.target
Wants=nss-user-lookup.target
After=network.target
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/default/sssd
ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
PIDFile=/run/sssd.pid
Restart=on-failure
[Install]
WantedBy=multi-user.target
root@it-daniel:/etc/systemd/system/multi-user.target.wants#
#