openSuse 13.2 - SSSD, AD provider - authentication against Active Directory

Hello,

Problem - I would like to get openSuse 13.2 to authenticate against Active Directory using SSSD (do not want to use WINBIND nor LDAP provider in SSSD).

I’ve not been able to find an article of anyone integrating SUSE/openSuse with Active Directory for authentication using SSSD and the AD provider (not LDAP). Using other distributions RHEL, CentOS, Oracle, Debian, Ubuntu, Mint, I’ve been able to accomplish a working environment, but have not had any success with SUSE/openSuse.

One problem is ADCLI tool does not appear to be available for openSUSE and realmd depends on adcli. I’ve been able to join Active Directory using “net” tool. If anyone knows of a good arctile/howto, or has done this already please advise.

Frank

You can download and install an adcli package from Fedora in a pinch. It should work although of course it won’t be updatable but that may not be a concern.

After that, it looks like you should be able to cut and paste the Fedora command to install prerequisites and compile from source on the realmd build page
http://www.freedesktop.org/software/realmd/contribute.html

If you’d like this built and added to openSUSE, I’d recommend submitting a request through the openSUSE bugzilla
https://bugzilla.opensuse.org

HTH,
TSU

realmd should be available in the network repo.


http://download.opensuse.org/repositories/network/openSUSE_13.2/network.repo

By the way, building adcli is a major pain in the BUTT, it requires the texlive packages to be installed. </slice wrist>

BTW -
It should be noted that whatever your preferences, the current Windows Server 2012 is the last product to support this method.
So, if you’re planning for an easier upgrade path beyond Windows Server 2012 (I think the next version is scheduled for release within a year), you should be implementing the recommended SAMBA/LDAP method

http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx
https://technet.microsoft.com/en-us/library/cc772571.aspx

TSU

Hi
Huh? Just built it…no texlive in sight…

@OP use Search? or follow the package build to the download directory.

I grabbed the Fedora srpm and it insisted on installing texlive packages (xmlto wanted to install them) and threw it away :slight_smile:

zypper in --no-recommends

Or use rpm -i directly.

Good point, I still find the whole texlive mess something that needs to be cleaned in the future.

It’s like 1400 packages, it’s just insanity.

The YaST “Windows Domain Membership” and “Authentication Client” modules can easily handle this deployment use case. Manual installation and configuration can be performed by administrators more comfortable with the SSSD, or in mid step, as this deployment seems to be as the machine is already joined to the target domain.

YaST would install the required packages and perform the necessary conf file changes, but I’ll describe the manual process so what YaST is doing is understood.

Install the following packages:

sssd sssd-ad

Configure PAM to use the SSSD:

To disable previous authentication methods:

pam-config --delete --ldap --krb5

Enable the SSSD for authentication:

pam-config --add --sss

If home directory creation on login is required:

pam-config --add --sss --mkhomedir

Modify the /etc/nsswitch.conf:

passwd: compat sss
group: compat sss

Create the /etc/sssd/sssd.conf file and set permissions to 600 (root:root) and start the daemon:

[sssd]
config_file_version = 2
services = nss, pam
domains = <WINDOWS_DOMAIN_FQDN>

[nss]
filter_users = root
filter_groups = root

[pam]

[domain/<WINDOWS_DOMAIN_FQDN>]
id_provider = ad
auth_provider = ad

enumerate = false
cache_credentials = true

ad_server = srv,<WINDOWS_DOMAIN_FQDN>

This is a basic functioning configuration and if the machine is joined to the domain and service discovery is working correctly the “ad_server =” directive is not necessary.

– lawrence