Zielstellung:
- Authentifizierung der Linux User–Anmeldung gegen ein Active Directory
- Authentifizierung der SSH Logins gegen ein Active Directory
- Absicherung mittels Kerberos Tickets
Voraussetzungen:
- eine aktuelle Debian (Testing/Bullseye) Umgebung
- ein funktionierendes (Samba) Active-Directory
- benötigt ein AD, siehe: Samba als Active Directory Domain Controller
- DNS und NTP Quelle sind der/die Domain Controller
- auf den Active-Directory CLIENT Systemen verwenden wir standardmäßig systemd-timesyncd
Überblick über die verwendeten Konfigurationen:
Realm: PLITC.INTERN Domain: PLITC IP-Adresse des Domain Controllers: 10.102.1.16 DNS Resolver: 10.102.1.16 NTP Server: 10.102.1.16 Samba-Administrator: Administrator
Vorbedingungen prüfen, ggf. umsetzen:
- HOSTS einstellen:
# root@it-daniel:~# cat /etc/hosts ### ### ### PLITC ### ### ### 127.0.0.1 localhost 127.0.1.1 it-daniel.plitc.intern it-daniel ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.102.1.16 plitc0-dc1.plitc.intern plitc0-dc1 ### ### ### PLITC ### ### ### # EOF root@it-daniel:~# #
2. DNS Resolver einstellen:
# root@it-daniel:~# chattr -i /etc/resolv.conf root@it-daniel:~# cat /etc/resolv.conf ### ### ### PLITC ### ### ### search plitc.intern nameserver 10.102.1.16 # plitc0-dc1 (first) ### ### ### PLITC ### ### ### # EOF root@it-daniel:~# chattr +i /etc/resolv.conf #
3. FQDN einstellen:
# root@it-daniel:~# cat /etc/hostname it-daniel.plitc.intern root@it-daniel:~# #
4. NTP Server einstellen:
# root@it-daniel:~# tail -n 8 /etc/systemd/timesyncd.conf [Time] NTP=plitc0-dc1.plitc.intern FallbackNTP=de.pool.ntp.org #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 root@it-daniel:~# #
# systemctl daemon-reload systemctl restart systemd-timesyncd.service systemctl status systemd-timesyncd.service #
5. Time Sync Status:
#
root@it-daniel:~# timedatectl status
Local time: Di 2021-01-05 18:22:09 CET
Universal time: Di 2021-01-05 17:22:09 UTC
RTC time: Di 2021-01-05 17:22:09
Time zone: Europe/Berlin (CET, +0100)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
root@it-daniel:~#
root@it-daniel:~# timedatectl timesync-status
Server: 10.102.1.16 (plitc0-dc1.plitc.intern)
Poll interval: 8min 32s (min: 32s; max 34min 8s)
Leap: normal
Version: 4
Stratum: 2
Reference: 4F852C8D
Precision: 1us (-26)
Root distance: 2.601ms (max: 5s)
Offset: -1.304ms
Delay: 33.276ms
Jitter: 1.432ms
Packet count: 4
Frequency: +12,008ppm
root@it-daniel:~#
#
Installation / Konfiguration:
- Installation der Pakete:
# apt-get install krb5-user libpam-krb5 realmd sssd sssd-tools adcli libnss-sss libpam-sss samba-common-bin #
2. Kerberos Konfiguration:
#
root@it-daniel:~# cat /etc/krb5.conf
[libdefaults]
default_realm = PLITC.INTERN
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
PLITC.INTERN = {
kdc = plitc0-dc1.plitc.intern
# kdc = plitc0-dc2.plitc.intern
# kdc = plitc0-dc3.plitc.intern
default_domain = plitc.intern
admin_server = plitc0-dc1.plitc.intern
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.plitc.intern = PLITC.INTERN
plitc.intern = PLITC.INTERN
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = true
minimum_uid = 1
}
# EOF
root@it-daniel:~#
#
3. Initialisierung eines Kerberos Tickets eines Administrator Accounts:
# root@it-daniel:~# kinit administrator@PLITC.INTERN Passwort für administrator@PLITC.INTERN: root@it-daniel:~# root@it-daniel:~# klist Ticketzwischenspeicher: FILE:/tmp/krb5cc_0 Standard-Principal: administrator@PLITC.INTERN Valid starting Expires Service principal 05.01.2021 18:50:28 06.01.2021 18:50:26 krbtgt/PLITC.INTERN@PLITC.INTERN root@it-daniel:~# #
4. SSHD um Kerberos Support (für SSHv2) erweitern, die folgenden Zeilen müssen ergänzt werden:
# root@it-daniel:~# tail -n 9 /etc/ssh/sshd_config #// Kerberos for SSHv2 GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes ### ### ### PLITC ### ### ### # EOF root@it-daniel:~# root@it-daniel:~# systemctl restart sshd; systemctl status sshd #
5. realmd Konfigurieren:
# root@it-daniel:~# cat /etc/realmd.conf [service] automatic-install = no [users] default-home = /home/%D/%U default-shell = /bin/bash [plitc.intern] computer-ou = CN=Computers,DC=plitc,DC=intern automatic-id-mapping = yes fully-qualified-names = no root@it-daniel:~# #
6. Den Linux CLIENT der Active-Directory Domain hinzufügen:
# root@it-daniel:~# realm discover plitc.intern plitc.intern type: kerberos realm-name: PLITC.INTERN domain-name: plitc.intern configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin root@it-daniel:~# #
# root@it-daniel:~# realm join plitc.intern root@it-daniel:~# echo $? 0 root@it-daniel:~# #
Hilfreich beim Debugging ist:
# root@it-daniel:~# tail -f /var/log/auth.log #
Beispieloutput:
# Jan 5 19:22:32 it-daniel realmd[17700]: packages: call Resolve (262144, ['sssd-tools', 'sssd', 'libnss-sss', 'libpam-sss', 'adcli']) Jan 5 19:22:32 it-daniel realmd[17700]: packages: call Resolve completed Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'adcli;0.9.0-1;amd64;installed:debian-testing-main', 'Tool for performing actions on an Active Directory domain') Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'libnss-sss;2.4.0-1;amd64;installed:debian-testing-main', 'Nss library for the System Security Services Daemon') Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'libpam-sss;2.4.0-1;amd64;installed:debian-testing-main', 'Pam module for the System Security Services Daemon') Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'sssd;2.4.0-1;amd64;installed:debian-testing-main', 'System Security Services Daemon -- metapackage') Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'sssd-tools;2.4.0-1;amd64;installed:debian-testing-main', 'System Security Services Daemon -- tools') Jan 5 19:22:32 it-daniel realmd[17700]: packages: signal: Finished (1, 229) Jan 5 19:22:32 it-daniel realmd[17700]: * LANG=C /usr/sbin/adcli join --verbose --domain plitc.intern --domain-realm PLITC.INTERN --domain-controller 10.102.1.16 --computer-ou CN=Computers,DC=plitc,DC=intern --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-OBZKW0 Jan 5 19:22:32 it-daniel realmd[17700]: * LANG=C /usr/sbin/adcli join --verbose --domain plitc.intern --domain-realm PLITC.INTERN --domain-controller 10.102.1.16 --computer-ou CN=Computers,DC=plitc,DC=intern --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-OBZKW0 Jan 5 19:22:32 it-daniel realmd[17700]: process started: 17769 Jan 5 19:22:32 it-daniel realmd[17700]: packages: freeing transtaction Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain name: plitc.intern Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain name: plitc.intern Jan 5 19:22:32 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL Jan 5 19:22:32 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain realm: plitc.intern Jan 5 19:22:32 it-daniel realmd[17700]: * Using domain realm: plitc.intern Jan 5 19:22:32 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16 Jan 5 19:22:32 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16 Jan 5 19:22:33 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PPbJnQ/krb5.d/adcli-krb5-conf-ETPjVM Jan 5 19:22:33 it-daniel realmd[17700]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PPbJnQ/krb5.d/adcli-krb5-conf-ETPjVM Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 1 Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 1 Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 1 Jan 5 19:22:33 it-daniel adcli: GSSAPI client step 2 Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up short domain name: PLITC Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up short domain name: PLITC Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up domain SID: S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXXX Jan 5 19:22:33 it-daniel realmd[17700]: * Looked up domain SID: S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXXX Jan 5 19:22:33 it-daniel realmd[17700]: * Using fully qualified name: it-daniel.plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Using fully qualified name: it-daniel.plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain name: plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain name: plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Using computer account name: IT-DANIEL Jan 5 19:22:33 it-daniel realmd[17700]: * Using computer account name: IT-DANIEL Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain realm: plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Using domain realm: plitc.intern Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account name from fqdn: IT-DANIEL Jan 5 19:22:33 it-daniel realmd[17700]: * Generated 120 character computer password Jan 5 19:22:33 it-daniel realmd[17700]: * Generated 120 character computer password Jan 5 19:22:33 it-daniel realmd[17700]: * Using keytab: FILE:/etc/krb5.keytab Jan 5 19:22:33 it-daniel realmd[17700]: * Using keytab: FILE:/etc/krb5.keytab Jan 5 19:22:33 it-daniel realmd[17700]: * Computer account for IT-DANIEL$ does not exist Jan 5 19:22:33 it-daniel realmd[17700]: * Computer account for IT-DANIEL$ does not exist Jan 5 19:22:33 it-daniel realmd[17700]: * Well known computer container not found, but found suitable one at: CN=Computers,DC=plitc,DC=intern Jan 5 19:22:33 it-daniel realmd[17700]: * Well known computer container not found, but found suitable one at: CN=Computers,DC=plitc,DC=intern Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern Jan 5 19:22:33 it-daniel realmd[17700]: * Calculated computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [3] not permitted. Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [3] not permitted. Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [1] not permitted. Jan 5 19:22:33 it-daniel realmd[17700]: * Encryption type [1] not permitted. Jan 5 19:22:33 it-daniel realmd[17700]: * Created computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern Jan 5 19:22:33 it-daniel realmd[17700]: * Created computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern Jan 5 19:22:33 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16 Jan 5 19:22:33 it-daniel realmd[17700]: * Sending NetLogon ping to domain controller: 10.102.1.16 Jan 5 19:22:34 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Received NetLogon info from: plitc0-dc1.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Set computer password Jan 5 19:22:34 it-daniel realmd[17700]: * Set computer password Jan 5 19:22:34 it-daniel realmd[17700]: * Retrieved kvno '2' for computer account in directory: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern Jan 5 19:22:34 it-daniel realmd[17700]: * Retrieved kvno '2' for computer account in directory: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Checking host/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Added host/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/IT-DANIEL Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Checking RestrictedKrbHost/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/it-daniel.plitc.intern Jan 5 19:22:34 it-daniel realmd[17700]: * Added RestrictedKrbHost/it-daniel.plitc.intern Jan 5 19:22:35 it-daniel realmd[17700]: * Discovered which keytab salt to use Jan 5 19:22:35 it-daniel realmd[17700]: * Discovered which keytab salt to use Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: IT-DANIEL$@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: IT-DANIEL$@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: host/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: * Added the entries to the keytab: RestrictedKrbHost/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab Jan 5 19:22:35 it-daniel realmd[17700]: process exited: 17769 Jan 5 19:22:35 it-daniel realmd[17700]: * /usr/sbin/update-rc.d sssd enable Jan 5 19:22:35 it-daniel realmd[17700]: * /usr/sbin/update-rc.d sssd enable Jan 5 19:22:35 it-daniel realmd[17700]: process started: 17797 Jan 5 19:22:36 it-daniel realmd[17700]: process exited: 17797 Jan 5 19:22:36 it-daniel realmd[17700]: * /usr/sbin/service sssd restart Jan 5 19:22:36 it-daniel realmd[17700]: * /usr/sbin/service sssd restart Jan 5 19:22:36 it-daniel realmd[17700]: process started: 17830 Jan 5 19:22:36 it-daniel realmd[17700]: process exited: 17830 Jan 5 19:22:36 it-daniel realmd[17700]: * Successfully enrolled machine in realm Jan 5 19:22:36 it-daniel realmd[17700]: * Successfully enrolled machine in realm Jan 5 19:22:36 it-daniel realmd[17700]: released daemon: current-invocation Jan 5 19:22:36 it-daniel realmd[17700]: client gone away: :1.122 Jan 5 19:22:36 it-daniel realmd[17700]: released daemon: :1.122 Jan 5 19:23:36 it-daniel realmd[17700]: quitting realmd service after timeout Jan 5 19:23:36 it-daniel realmd[17700]: stopping service #
Beispielhaft eine Userauflösung:
# root@it-daniel:~# getent passwd administrator administrator:*:XXXXXXXXX:XXXXXXXXX:Administrator:/home/plitc.intern/administrator:/bin/bash root@it-daniel:~# root@it-daniel:~# getent group 'Domain Admins' domain admins:*:XXXXXXXXX:administrator root@it-daniel:~# #
7. Zugriffskontrolle:
- Alle User: verbieten
- Erlaubt wird: Administrator
- Erlaubt wird: Domain Admins
# realm deny --all realm permit administrator realm permit -g 'Domain Admins' #
# root@it-daniel:~# realm list plitc.intern type: kerberos realm-name: PLITC.INTERN domain-name: plitc.intern configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: administrator permitted-groups: Domain Admins root@it-daniel:~# #
8. für automatisiertes Erstellen der Home Verzeichnisse:
# root@it-daniel:~# cat /etc/pam.d/common-session ### ### ### PLITC ### ### ### session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session optional pam_sss.so session optional pam_systemd.so ### ### ### PLITC ### ### ### # EOF root@it-daniel:~# #
Test des SSH Logons mittels Active-Directory Konto:
# daniel@TEST-151:~$ ssh -q PLITC\\administrator@10.XXX.XXX.XXX PLITC\administrator@10.XXX.XXX.XXX's password: Last login: Tue Jan 5 20:15:39 2021 from 10.XXX.XXX.XXX administrator@it-daniel:~$ administrator@it-daniel:~$ ls -all insgesamt 16 drwxr-xr-x 1 administrator domain users 80 5. Jan 20:24 . drwxr-xr-x 1 root root 26 5. Jan 20:15 .. -rw------- 1 administrator domain users 33 5. Jan 20:24 .bash_history -rw-r--r-- 1 administrator domain users 220 5. Jan 20:15 .bash_logout -rw-r--r-- 1 administrator domain users 3526 5. Jan 20:15 .bashrc -rw-r--r-- 1 administrator domain users 807 5. Jan 20:15 .profile administrator@it-daniel:~$ #
9. unnötige Dienste deaktivieren:
# systemctl stop sssd-nss.socket systemctl disable sssd-nss.socket systemctl stop sssd-pam-priv.socket systemctl disable sssd-pam-priv.socket systemctl stop sssd-pam.socket systemctl disable sssd-pam.socket #
Quellen:
- https://uit.stanford.edu/service/kerberos/install_debian
- https://www.pks.mpg.de/~mueller/docs/suse10.3/opensuse-manual_de/manual/sec.kerbadmin.sshd.html
- https://directory.apache.org/apacheds/kerberos-ug/4.1-authenticate-kinit.html
- https://www.oreilly.com/library/view/linux-security-cookbook/0596003919/ch04s14.html
- https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectorySssd
- https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-de-4/s1-samba-servers.html
- https://www.elastic2ls.com/blog/linux-active-directory-authentication/
- http://manpages.ubuntu.com/manpages/bionic/man5/realmd.conf.5.html
Ergänzungen:
08.01.2021:
- Wenn alles richtig eingestellt wurde -> funktioniert auch ein Login mittels Display Manager (wie z.B. SLIM oder GDM3)
09.01.2021:
Für eine bessere Gesamtreaktionszeit des Systems -> sollte in der /etc/sssd/sssd.conf folgender Parameter (in dem nss Abschnitt) hinzugefügt werden:
# memcache_timeout = 3600 #
Bei Laptops: (8 Stunden)
# memcache_timeout = 28800 #
Je nach Bedarf auch: (24 Stunden)
# memcache_timeout = 86400 #
Beispiel:
# root@it-daniel:/etc/sssd# head -n 10 sssd.conf [sssd] domains = plitc.intern config_file_version = 2 services = nss, pam [nss] memcache_timeout = 86400 [domain/plitc.intern] ... ... ... root@it-daniel:/etc/sssd# #
SSSD Service neustarten:
# systemctl restart sssd.service; systemctl status sssd.service #
09.01.2021:
SSSD Unterstützung für SUDO:
# apt-get install libsss-sudo #
nsswitch.conf anpassen:
# root@it-daniel:~# tail -n 4 /etc/nsswitch.conf sudoers: files sss # EOF root@it-daniel:~# #
Active-Directory User der SUDO Gruppe hinzufügen:
# root@it-daniel:~# usermod -a -G sudo daniel.plominski #
09.01.2021:
SSH Login auf spezifische Active-Directory User beschränken:
# root@it-daniel:~# grep "AllowUsers" /etc/ssh/sshd_config AllowUsers administrator daniel.plominski root@it-daniel:~# #
22.01.2021:
Der sssd.service sollte erst nach der Netzwerkverbindung (After=network.target) gestartet werden!
#
root@it-daniel:/etc/systemd/system/multi-user.target.wants# cat sssd.service
[Unit]
Description=System Security Services Daemon
# SSSD must be running before we permit user sessions
Before=systemd-user-sessions.service nss-user-lookup.target
Wants=nss-user-lookup.target
After=network.target
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/default/sssd
ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
PIDFile=/run/sssd.pid
Restart=on-failure
[Install]
WantedBy=multi-user.target
root@it-daniel:/etc/systemd/system/multi-user.target.wants#
#