Skip to content

Configure UBUNTU/Debian/RH for ActiveDirectory authentication with SSSD

a. Start with checking if the pam_ldap package is installed and remove it if it is.

# apt-get remove pam_ldap

b. Install sssd

# apt-get install sssd libpam-sss libnss-sss sssd-tools

c. Edit /etc/sssd/sssd.conf. In my case, this file has the following content.

config_file_version = 2
services = nss, pam
domains = WMD.EDU
debug_level = 9

ldap_id_use_start_tls = False
cache_credentials = False
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_gecos = displayName
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName

ldap_user_home_directory = unixHomeDirectory
ldap_uri = ldap://
ldap_search_base = dc=wmd,dc=edu
ldap_user_search_base,OU=Secured,OU=Corporate Users,DC=wmd,DC=edu
ldap_user_search_base,OU=Managed By Others,DC=wmd,DC=edu
ldap_user_search_base,OU=Shared,OU=Corporate Users,DC=wmd,DC=edu
ldap_user_search_base,OU=ServiceAccounts,OU=Corporate Servers,DC=wmd,DC=edu
ldap_group_search_base,ou=Unix,ou=Security Groups,ou=Corporate Groups,dc=wmd,dc=edu
ldap_default_bind_dn = CN=aixldapquery,OU=ServiceAccounts,OU=Corporate Servers,DC=wmd,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = **********
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_referrals = false

krb5_realm = WMD.EDU
krb5_kpasswd =
krb5_server =
krb5_canonicalize = False

offline_credentials_expiration = 0

where ********** is the password of the aixldapquery account, which queries AD on the behalf of the login in user.

d. While in /etc/sssd, edit permissions of the sssd.conf – this is important, otherwise the service will not start!

# chmod 0600 sssd.conf

e. Verify that the following files in /etc/pam.d contain the entries shown.

[success=1 default=ignore] use_first_pass
session	required umask=0022 skel=/etc/skel
session	optional
password	sufficient use_authtok

f. Absolutely remove/comment out the following line in /etc/pam.d/common-account. Otherwise no AD defined user will be able to login.

account  [default=bad success=ok user_unknown=ignore]

g. Set the sssd service to start on reboot

# systemctl enable sssd

h. restart sssd and you are ready to go.

# systemctl restart sssd

The following command can be very useful troubleshooting sssd issues.

# sudo sssd -d9 -i

Posted in LINUX.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield

Copyright © 2016 - 2018 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.