Schlagwort-Archive: krb5-user

Debian mit Active Directory Authentication

Zielstellung:

  1. Authentifizierung der Linux UserAnmeldung gegen ein Active Directory
  2. Authentifizierung der SSH Logins gegen ein Active Directory
  3. Absicherung mittels Kerberos Tickets

Voraussetzungen:

  1. eine aktuelle Debian (Testing/Bullseye) Umgebung
  2. ein funktionierendes (Samba) Active-Directory
  3. DNS und NTP Quelle sind der/die Domain Controller
  4. auf den Active-Directory CLIENT Systemen verwenden wir standardmäßig systemd-timesyncd

Überblick über die verwendeten Konfigurationen:

Realm: PLITC.INTERN
Domain: PLITC
IP-Adresse des Domain Controllers: 10.102.1.16
DNS Resolver: 10.102.1.16
NTP Server: 10.102.1.16
Samba-Administrator: Administrator

Vorbedingungen prüfen, ggf. umsetzen:

  1. HOSTS einstellen:
#
root@it-daniel:~# cat /etc/hosts
### ### ### PLITC ### ### ###

127.0.0.1     localhost
127.0.1.1     it-daniel.plitc.intern          it-daniel
::1           localhost    ip6-localhost      ip6-loopback
ff02::1       ip6-allnodes
ff02::2       ip6-allrouters

10.102.1.16   plitc0-dc1.plitc.intern         plitc0-dc1

### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~#
#

2. DNS Resolver einstellen:

#
root@it-daniel:~# chattr -i /etc/resolv.conf
root@it-daniel:~# cat /etc/resolv.conf
### ### ### PLITC ### ### ###

search plitc.intern

nameserver 10.102.1.16      # plitc0-dc1 (first)

### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~# chattr +i /etc/resolv.conf
#

3. FQDN einstellen:

#
root@it-daniel:~# cat /etc/hostname
it-daniel.plitc.intern
root@it-daniel:~#
#

4. NTP Server einstellen:

#
root@it-daniel:~# tail -n 8 /etc/systemd/timesyncd.conf

[Time]
NTP=plitc0-dc1.plitc.intern
FallbackNTP=de.pool.ntp.org
#FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
root@it-daniel:~#
#
#
systemctl daemon-reload
systemctl restart systemd-timesyncd.service
systemctl status systemd-timesyncd.service
#

5. Time Sync Status:

#
root@it-daniel:~# timedatectl status
               Local time: Di 2021-01-05 18:22:09 CET
           Universal time: Di 2021-01-05 17:22:09 UTC
                 RTC time: Di 2021-01-05 17:22:09
                Time zone: Europe/Berlin (CET, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no
root@it-daniel:~#
root@it-daniel:~# timedatectl timesync-status
       Server: 10.102.1.16 (plitc0-dc1.plitc.intern)
Poll interval: 8min 32s (min: 32s; max 34min 8s)
         Leap: normal
      Version: 4
      Stratum: 2
    Reference: 4F852C8D
    Precision: 1us (-26)
Root distance: 2.601ms (max: 5s)
       Offset: -1.304ms
        Delay: 33.276ms
       Jitter: 1.432ms
 Packet count: 4
    Frequency: +12,008ppm
root@it-daniel:~#
#

Installation / Konfiguration:

  1. Installation der Pakete:
#
apt-get install krb5-user libpam-krb5 realmd sssd sssd-tools adcli libnss-sss libpam-sss samba-common-bin
#

2. Kerberos Konfiguration:

#
root@it-daniel:~# cat /etc/krb5.conf

[libdefaults]
        default_realm = PLITC.INTERN
        clockskew = 300
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
        PLITC.INTERN = {
                kdc = plitc0-dc1.plitc.intern
                # kdc = plitc0-dc2.plitc.intern
                # kdc = plitc0-dc3.plitc.intern
                default_domain = plitc.intern
                admin_server = plitc0-dc1.plitc.intern
        }

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm]
        .plitc.intern = PLITC.INTERN
        plitc.intern = PLITC.INTERN

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = true
                minimum_uid = 1
        }

# EOF
root@it-daniel:~#
#

3. Initialisierung eines Kerberos Tickets eines Administrator Accounts:

#
root@it-daniel:~# kinit administrator@PLITC.INTERN
Passwort für administrator@PLITC.INTERN:
root@it-daniel:~#
root@it-daniel:~# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: administrator@PLITC.INTERN

Valid starting       Expires              Service principal
05.01.2021 18:50:28  06.01.2021 18:50:26  krbtgt/PLITC.INTERN@PLITC.INTERN
root@it-daniel:~#
#

4. SSHD um Kerberos Support (für SSHv2) erweitern, die folgenden Zeilen müssen ergänzt werden:

#
root@it-daniel:~# tail -n 9 /etc/ssh/sshd_config

#// Kerberos for SSHv2
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes

### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~#
root@it-daniel:~# systemctl restart sshd; systemctl status sshd
#

5. realmd Konfigurieren:

#
root@it-daniel:~# cat /etc/realmd.conf

[service]
automatic-install = no

[users]
default-home = /home/%D/%U
default-shell = /bin/bash

[plitc.intern]
computer-ou = CN=Computers,DC=plitc,DC=intern
automatic-id-mapping = yes
fully-qualified-names = no

root@it-daniel:~#
#

6. Den Linux CLIENT der Active-Directory Domain hinzufügen:

#
root@it-daniel:~# realm discover plitc.intern
plitc.intern
  type: kerberos
  realm-name: PLITC.INTERN
  domain-name: plitc.intern
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
root@it-daniel:~#
#
#
root@it-daniel:~# realm join plitc.intern
root@it-daniel:~# echo $?
0
root@it-daniel:~#
#

Hilfreich beim Debugging ist:

#
root@it-daniel:~# tail -f /var/log/auth.log
#

Beispieloutput:

#
Jan  5 19:22:32 it-daniel realmd[17700]: packages: call Resolve (262144, ['sssd-tools', 'sssd', 'libnss-sss', 'libpam-sss', 'adcli'])
Jan  5 19:22:32 it-daniel realmd[17700]: packages: call Resolve completed
Jan  5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'adcli;0.9.0-1;amd64;installed:debian-testing-main', 'Tool for performing actions on an Active Directory domain')
Jan  5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'libnss-sss;2.4.0-1;amd64;installed:debian-testing-main', 'Nss library for the System Security Services Daemon')
Jan  5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'libpam-sss;2.4.0-1;amd64;installed:debian-testing-main', 'Pam module for the System Security Services Daemon')
Jan  5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'sssd;2.4.0-1;amd64;installed:debian-testing-main', 'System Security Services Daemon -- metapackage')
Jan  5 19:22:32 it-daniel realmd[17700]: packages: signal: Package (1, 'sssd-tools;2.4.0-1;amd64;installed:debian-testing-main', 'System Security Services Daemon -- tools')
Jan  5 19:22:32 it-daniel realmd[17700]: packages: signal: Finished (1, 229)
Jan  5 19:22:32 it-daniel realmd[17700]:  * LANG=C /usr/sbin/adcli join --verbose --domain plitc.intern --domain-realm PLITC.INTERN --domain-controller 10.102.1.16 --computer-ou CN=Computers,DC=plitc,DC=intern --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-OBZKW0
Jan  5 19:22:32 it-daniel realmd[17700]:  * LANG=C /usr/sbin/adcli join --verbose --domain plitc.intern --domain-realm PLITC.INTERN --domain-controller 10.102.1.16 --computer-ou CN=Computers,DC=plitc,DC=intern --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-OBZKW0
Jan  5 19:22:32 it-daniel realmd[17700]: process started: 17769
Jan  5 19:22:32 it-daniel realmd[17700]: packages: freeing transtaction
Jan  5 19:22:32 it-daniel realmd[17700]:  * Using domain name: plitc.intern
Jan  5 19:22:32 it-daniel realmd[17700]:  * Using domain name: plitc.intern
Jan  5 19:22:32 it-daniel realmd[17700]:  * Calculated computer account name from fqdn: IT-DANIEL
Jan  5 19:22:32 it-daniel realmd[17700]:  * Calculated computer account name from fqdn: IT-DANIEL
Jan  5 19:22:32 it-daniel realmd[17700]:  * Using domain realm: plitc.intern
Jan  5 19:22:32 it-daniel realmd[17700]:  * Using domain realm: plitc.intern
Jan  5 19:22:32 it-daniel realmd[17700]:  * Sending NetLogon ping to domain controller: 10.102.1.16
Jan  5 19:22:32 it-daniel realmd[17700]:  * Sending NetLogon ping to domain controller: 10.102.1.16
Jan  5 19:22:33 it-daniel realmd[17700]:  * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PPbJnQ/krb5.d/adcli-krb5-conf-ETPjVM
Jan  5 19:22:33 it-daniel realmd[17700]:  * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PPbJnQ/krb5.d/adcli-krb5-conf-ETPjVM
Jan  5 19:22:33 it-daniel adcli: GSSAPI client step 1
Jan  5 19:22:33 it-daniel adcli: GSSAPI client step 1
Jan  5 19:22:33 it-daniel adcli: GSSAPI client step 1
Jan  5 19:22:33 it-daniel adcli: GSSAPI client step 2
Jan  5 19:22:33 it-daniel realmd[17700]:  * Looked up short domain name: PLITC
Jan  5 19:22:33 it-daniel realmd[17700]:  * Looked up short domain name: PLITC
Jan  5 19:22:33 it-daniel realmd[17700]:  * Looked up domain SID: S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXXX
Jan  5 19:22:33 it-daniel realmd[17700]:  * Looked up domain SID: S-1-5-21-XXXXXXX-XXXXXXXX-XXXXXXXXX
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using fully qualified name: it-daniel.plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using fully qualified name: it-daniel.plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using domain name: plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using domain name: plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using computer account name: IT-DANIEL
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using computer account name: IT-DANIEL
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using domain realm: plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using domain realm: plitc.intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Calculated computer account name from fqdn: IT-DANIEL
Jan  5 19:22:33 it-daniel realmd[17700]:  * Calculated computer account name from fqdn: IT-DANIEL
Jan  5 19:22:33 it-daniel realmd[17700]:  * Generated 120 character computer password
Jan  5 19:22:33 it-daniel realmd[17700]:  * Generated 120 character computer password
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using keytab: FILE:/etc/krb5.keytab
Jan  5 19:22:33 it-daniel realmd[17700]:  * Using keytab: FILE:/etc/krb5.keytab
Jan  5 19:22:33 it-daniel realmd[17700]:  * Computer account for IT-DANIEL$ does not exist
Jan  5 19:22:33 it-daniel realmd[17700]:  * Computer account for IT-DANIEL$ does not exist
Jan  5 19:22:33 it-daniel realmd[17700]:  * Well known computer container not found, but found suitable one at: CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Well known computer container not found, but found suitable one at: CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Calculated computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Calculated computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Encryption type [3] not permitted.
Jan  5 19:22:33 it-daniel realmd[17700]:  * Encryption type [3] not permitted.
Jan  5 19:22:33 it-daniel realmd[17700]:  * Encryption type [1] not permitted.
Jan  5 19:22:33 it-daniel realmd[17700]:  * Encryption type [1] not permitted.
Jan  5 19:22:33 it-daniel realmd[17700]:  * Created computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Created computer account: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:33 it-daniel realmd[17700]:  * Sending NetLogon ping to domain controller: 10.102.1.16
Jan  5 19:22:33 it-daniel realmd[17700]:  * Sending NetLogon ping to domain controller: 10.102.1.16
Jan  5 19:22:34 it-daniel realmd[17700]:  * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Received NetLogon info from: plitc0-dc1.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Set computer password
Jan  5 19:22:34 it-daniel realmd[17700]:  * Set computer password
Jan  5 19:22:34 it-daniel realmd[17700]:  * Retrieved kvno '2' for computer account in directory: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Retrieved kvno '2' for computer account in directory: CN=IT-DANIEL,CN=Computers,DC=plitc,DC=intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking host/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking host/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added host/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added host/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking host/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking host/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added host/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added host/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking RestrictedKrbHost/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking RestrictedKrbHost/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added RestrictedKrbHost/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added RestrictedKrbHost/IT-DANIEL
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking RestrictedKrbHost/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  * Checking RestrictedKrbHost/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added RestrictedKrbHost/it-daniel.plitc.intern
Jan  5 19:22:34 it-daniel realmd[17700]:  *    Added RestrictedKrbHost/it-daniel.plitc.intern
Jan  5 19:22:35 it-daniel realmd[17700]:  * Discovered which keytab salt to use
Jan  5 19:22:35 it-daniel realmd[17700]:  * Discovered which keytab salt to use
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: IT-DANIEL$@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: IT-DANIEL$@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: host/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: host/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: host/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: host/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: RestrictedKrbHost/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: RestrictedKrbHost/IT-DANIEL@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: RestrictedKrbHost/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]:  * Added the entries to the keytab: RestrictedKrbHost/it-daniel.plitc.intern@PLITC.INTERN: FILE:/etc/krb5.keytab
Jan  5 19:22:35 it-daniel realmd[17700]: process exited: 17769
Jan  5 19:22:35 it-daniel realmd[17700]:  * /usr/sbin/update-rc.d sssd enable
Jan  5 19:22:35 it-daniel realmd[17700]:  * /usr/sbin/update-rc.d sssd enable
Jan  5 19:22:35 it-daniel realmd[17700]: process started: 17797
Jan  5 19:22:36 it-daniel realmd[17700]: process exited: 17797
Jan  5 19:22:36 it-daniel realmd[17700]:  * /usr/sbin/service sssd restart
Jan  5 19:22:36 it-daniel realmd[17700]:  * /usr/sbin/service sssd restart
Jan  5 19:22:36 it-daniel realmd[17700]: process started: 17830
Jan  5 19:22:36 it-daniel realmd[17700]: process exited: 17830
Jan  5 19:22:36 it-daniel realmd[17700]:  * Successfully enrolled machine in realm
Jan  5 19:22:36 it-daniel realmd[17700]:  * Successfully enrolled machine in realm
Jan  5 19:22:36 it-daniel realmd[17700]: released daemon: current-invocation
Jan  5 19:22:36 it-daniel realmd[17700]: client gone away: :1.122
Jan  5 19:22:36 it-daniel realmd[17700]: released daemon: :1.122
Jan  5 19:23:36 it-daniel realmd[17700]: quitting realmd service after timeout
Jan  5 19:23:36 it-daniel realmd[17700]: stopping service
#
Computer Übersicht
DNS Einträge

Beispielhaft eine Userauflösung:

#
root@it-daniel:~# getent passwd administrator
administrator:*:XXXXXXXXX:XXXXXXXXX:Administrator:/home/plitc.intern/administrator:/bin/bash
root@it-daniel:~#
root@it-daniel:~# getent group 'Domain Admins'
domain admins:*:XXXXXXXXX:administrator
root@it-daniel:~#
#

7. Zugriffskontrolle:

  1. Alle User: verbieten
  2. Erlaubt wird: Administrator
  3. Erlaubt wird: Domain Admins
#
realm deny --all
realm permit administrator
realm permit -g 'Domain Admins'
#
#
root@it-daniel:~# realm list
plitc.intern
  type: kerberos
  realm-name: PLITC.INTERN
  domain-name: plitc.intern
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins: administrator
  permitted-groups: Domain Admins
root@it-daniel:~#
#

8. für automatisiertes Erstellen der Home Verzeichnisse:

#
root@it-daniel:~# cat /etc/pam.d/common-session
### ### ### PLITC ### ### ###

session   [default=1]   pam_permit.so
session   requisite     pam_deny.so
session   required      pam_permit.so
session   optional      pam_umask.so
session   optional      pam_krb5.so        minimum_uid=1000
session   required      pam_unix.so
session   required      pam_mkhomedir.so   skel=/etc/skel   umask=0022
session   optional      pam_sss.so
session   optional      pam_systemd.so

### ### ### PLITC ### ### ###
# EOF
root@it-daniel:~#
#

Test des SSH Logons mittels Active-Directory Konto:

#
daniel@TEST-151:~$ ssh -q PLITC\\administrator@10.XXX.XXX.XXX
PLITC\administrator@10.XXX.XXX.XXX's password:

Last login: Tue Jan  5 20:15:39 2021 from 10.XXX.XXX.XXX
administrator@it-daniel:~$
administrator@it-daniel:~$ ls -all
insgesamt 16
drwxr-xr-x 1 administrator domain users   80  5. Jan 20:24 .
drwxr-xr-x 1 root          root           26  5. Jan 20:15 ..
-rw------- 1 administrator domain users   33  5. Jan 20:24 .bash_history
-rw-r--r-- 1 administrator domain users  220  5. Jan 20:15 .bash_logout
-rw-r--r-- 1 administrator domain users 3526  5. Jan 20:15 .bashrc
-rw-r--r-- 1 administrator domain users  807  5. Jan 20:15 .profile
administrator@it-daniel:~$
#

9. unnötige Dienste deaktivieren:

#
systemctl stop sssd-nss.socket
systemctl disable sssd-nss.socket

systemctl stop sssd-pam-priv.socket
systemctl disable sssd-pam-priv.socket

systemctl stop sssd-pam.socket
systemctl disable sssd-pam.socket
#

Quellen:

Ergänzungen:

08.01.2021:

  • Wenn alles richtig eingestellt wurde -> funktioniert auch ein Login mittels Display Manager (wie z.B. SLIM oder GDM3)

09.01.2021:

Für eine bessere Gesamtreaktionszeit des Systems -> sollte in der /etc/sssd/sssd.conf folgender Parameter (in dem nss Abschnitt) hinzugefügt werden:

#
memcache_timeout = 3600
#

Bei Laptops: (8 Stunden)

#
memcache_timeout = 28800
#

Je nach Bedarf auch: (24 Stunden)

#
memcache_timeout = 86400
#

Beispiel:

#
root@it-daniel:/etc/sssd# head -n 10 sssd.conf

[sssd]
domains = plitc.intern
config_file_version = 2
services = nss, pam

[nss]
memcache_timeout = 86400

[domain/plitc.intern]
... ... ...
root@it-daniel:/etc/sssd#
#

SSSD Service neustarten:

#
systemctl restart sssd.service; systemctl status sssd.service
#

09.01.2021:

SSSD Unterstützung für SUDO:

#
apt-get install libsss-sudo
#

nsswitch.conf anpassen:

#
root@it-daniel:~# tail -n 4 /etc/nsswitch.conf

sudoers:        files sss

# EOF
root@it-daniel:~#
#

Active-Directory User der SUDO Gruppe hinzufügen:

#
root@it-daniel:~# usermod -a -G sudo daniel.plominski
#

09.01.2021:

SSH Login auf spezifische Active-Directory User beschränken:

#
root@it-daniel:~# grep "AllowUsers" /etc/ssh/sshd_config
AllowUsers administrator daniel.plominski
root@it-daniel:~#
#

22.01.2021:

Der sssd.service sollte erst nach der Netzwerkverbindung (After=network.target) gestartet werden!

#
root@it-daniel:/etc/systemd/system/multi-user.target.wants# cat sssd.service
[Unit]
Description=System Security Services Daemon
# SSSD must be running before we permit user sessions
Before=systemd-user-sessions.service nss-user-lookup.target
Wants=nss-user-lookup.target
After=network.target

[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/default/sssd
ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
PIDFile=/run/sssd.pid
Restart=on-failure

[Install]
WantedBy=multi-user.target
root@it-daniel:/etc/systemd/system/multi-user.target.wants#
#