8
votes
Accepted
Assignment of UID and GID from Active Directory
AD mapping in SSSD is determined using an algorithm (probably a hash function) in the daemon itself: because it's built-in, if you keep the defaults the same, every computer using SSSD should map the ...
- 4,207
6
votes
Accepted
sudo is not working on my Centos 7.3
The problem here is that when you joined your CentOS system to the Active Directory domain, the realm command also modified /etc/nsswitch.conf to take over the configuration of sudo:
grep sudo /etc/...
- 128k
4
votes
Join Redhat 7 without prompting the password
RE: There is not a workaround on the Red Hat side to get around someone entering a password either before or during the realm join.
There is always a work around in Linux/Unix:
echo $passwd| realm ...
- 41
4
votes
Accepted
How nsswitch call sssd for credential?
Have a look into Anatomy of SSSD user lookup for an overview of the lookup process or Troubleshooting Guide for how to get logs to see what might be wrong in the daemon.
For quick reference, you may ...
- 301
4
votes
Accepted
Mapping AD groups to Linux groups - sssd and Windows server 2016
First, only the management console was removed from WS2016, but the UNIX schema is still there, I think it should still be accessible with e.g. ADSI edit. So you can still use the POSIX attributes, it'...
- 301
4
votes
Accepted
sssd and Active Directory user does not exist in CentOS
Finally I followed these instructions and suddenly it started working, its weird I still dont understand fully what was wrong:
Manually Connecting an SSSD Client to an Active Directory Domain
https://...
- 199
4
votes
Accepted
What must be added to nsswitch.conf to show AD users and groups?
As suggested by @Doug O'Neal in a comment, it was necessary to set
enumerate = true
in /etc/sssd/sssd.conf.
Now getent passwd and getent group show all users and groups defined in the AD.
Note ...
- 32.4k
4
votes
Accepted
How can i list a user's groups when their names contain spaces?
Although groups doesn't appear to have an option to null-delimit entries, id does - at least in the GNU CoreUtils implementation that should apply on Ubuntu 18.041
-z, --zero
delimit ...
- 83.8k
4
votes
Allowing Active Directory groups to sudo on Ubuntu 20.04
I'm not doing this on Ubuntu, so I don't know if there is something special there, but in CentOS I don't have to specify the domain in sudoers, so the syntax I use is:
%domain_group ALL=(ALL) ...
- 141
4
votes
Is it possible to have a local user with the same name as a domain user
If you are using sssd to authenticate with your AD, then users are created with a domain in the name by default. This is controlled by default_domain_suffix in sssd.conf.
Normally, I would add my ...
- 16k
4
votes
Accepted
How to troubleshoot a LDAP error 53 (WILL_NOT_PERFORM)?
The error you are encountering is coming from the Active Directory server itself. So the verbose error message, if it exists, is likely to be in the "Event Log" on the Active Directory ...
- 21k
4
votes
Accepted
What is changing /etc/sssd/sssd.conf?
Your realm join will modify /etc/sssd/sssd.conf.
For example, you can see the history of this with the realmd_tags value showing that realm is managing the file and the server was joined to the AD ...
- 128k
3
votes
Accepted
Setting login shell in SSS configuration for users from Active Directory
Thanks to the sssd maintainers I found the answer. Here's a working config which does what I needed, i.e. allow SSH tunneling but not SSH login to the AD users which are members of the AD LimitedGroup....
- 32.4k
3
votes
Setting login shell in SSS configuration for users from Active Directory
This should work with newer versions of sssd:
[sssd]
domains = MYDOMAIN_ADMINS,MYDOMAIN_LIMITED,MYDOMAIN_ALL
config_file_version = 2
services = nss, pam
[nss]
default_shell = /bin/bash
[domain/...
- 4,347
3
votes
Accepted
Authentication mechanism to connect to Windows AD in Linux?
sssd and realmd was by far the easiest way to get this done. The below steps are what I did to get my CentOS machine on the domain and able to restrict access to only the specific users in the ...
- 318
3
votes
Linux clients can't login on samba share while windows and mac can (active directory env)
I found this article which may help you mount the SMB shares.
https://askubuntu.com/questions/1026316/cifs-mounts-and-kerberos-permissions-on-access-or-best-practice
I believe that the issue is ...
- 392
3
votes
Use AD Groups Instead of Linux Groups
chgrp can deal with numeric GIDs as well as symbolic group names. You'll want to be 100% sure that your name-to-name group matchup is exactly correct. Depending on how you attack the problem, it may ...
- 8,785
3
votes
SUDO successful for Active Directory admin group member using wrong password
Here is your problem, "the system file was modified to include pam_winbind, and to change the pam_unix module from required to sufficient".
It would be well worth taking the time to read ...
- 128k
3
votes
How can I get the current time as an LDAP timestamp in Unix?
In the terminal:
echo $((($(date +%s) + 11644473600) * 10000000))
Detailed explanation:
date +%s gets the current time in seconds since 1970.
11644473600 seconds elapsed from 1601 to 1970.
10000000 ...
- 131
3
votes
LDAP: What is the most suitable solution for remote home directories today?
Remote home directories have very little to do with LDAP. Though you can host them on the same machine as the LDAP server, there's nothing about the two services that says you should host them on the ...
- 15.2k
2
votes
sudo is not working on my Centos 7.3
Edit your /etc/sudoers as follows:
# User privilege specification
root ALL=(ALL:ALL) ALL
test ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
- 69.9k
2
votes
Accepted
Sudo long wait for Active Directory user
Is your AD user a member of many large AD groups? This is typically the case, usually suppressing the group members with the ignore_group_members option helps.
Alternatively, checking the sssd logs ...
- 301
2
votes
SSH Logins failing for all users, even when using correct password
A very similar scenario with a different root-cause:
Login with sssd (against LDAP) via console works. Login using the correct password with sssd via ssh fails. Gives about an 8 seconds delay until ...
- 129
2
votes
SSH Logins failing for all users, even when using correct password
Off the top of my head, these are the 3 things that have caused me pain in joining CentOS to AD and using sssd with ssh:
Do you have pam_sss.so listed in the password portion of /etc/pam.d/password-...
- 20.2k
2
votes
Cannot login to Linux with AD account and /bin/bash
What is your user's loginShell LDAP attribute? This is typically what determines a user's shell when using LDAP/AD backends for SSSD.
You can verify a user's shell with a couple different tools.
...
- 8,676
2
votes
Accepted
How do I clear a user's cached Active Directory password on CentOS 7?
So, how do I clear a user's cached Active Directory password on CentOS 7?
Generally sss_cache should be the right way to tell sssd to re-retrieve objects it has probably already cached. But afaik sssd ...
- 2,442
2
votes
Join Redhat 7 without prompting the password
I know this post is kind of old, but there is an option available that doesn't necessarily require an AD account with password. Both realm and adcli commands support the --one-time-password argument, ...
- 21
2
votes
Accepted
On Solaris I get good id mapping..on linux not,why?
The SSSD docs cover this in some detail. Essentially, by default when SSSD is used to join a new domain, it assigns a block of UID's designed to be unique to that domain, that override any that AD ...
- 324
2
votes
kinit using keytab fails while using password succeeds
I faced the exactly same issue . The root cause was that kerberos server only supported rc4-hmac encryption type.
solution: in ktutil use
ktutil: addent -password -p foo@bar -k 0 -e rc4-hmac
...
- 21
2
votes
Accepted
Domain Joined Linux - PAM mkhomedir creating homedirs owned as root for SSH
Turns out it was something unrelated - DOH.
It was running a custom bash script for ssh AuthorizedKeysCommand to fetch keys from an LDAP attribute. It was writing a cached version of the key to the ...
- 131
Only top scored, non community-wiki answers of a minimum length are eligible