Tag Archives: sssd

Offline cached ldap and krb logins with SSSD and Active Directory

SSSD from the Fedora Project provides NSS and PAM mechanisms for cached network credentials (Notebook users can still login when disconnected). SSSD is available in the main repos for both Fedora and Ubuntu.

The following sssd.conf worked for our environment. (Making it work with FreeIPA or Open LDAP and Kerberos is far less fiddly).

[sssd]
domains = MYDOMAIN
services = nss, pam
config_file_version = 2
sbus_timeout = 30
 
[pam]
offline_credentials_expiration = 0
 
[domain/MYDOMAIN]
description = MYDOMAIN AD Server
#debug_level = 9
enumerate = true
ldap_referrals = false
min_id = 1000
 
access_provider = permit
 
id_provider = ldap
chpass_provider = krb5
 
ldap_uri = ldap://my.ldap.server
ldap_search_base = dc=my,dc=ad,dc=domain
 
ldap_id_use_start_tls = False # TLS/SSL is supported

# If you do not have anonymous binds enabled 
# User that can read from AD, any normal user should work. Update as necessary
ldap_default_bind_dn = user@my.ad.domain
# Leave this as password
ldap_default_authtok_type = password
 
# The ldap users actual password, update as necessary
ldap_default_authtok = password

# This is the important stuff for making AD LDAP work 
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = True

# I love this setting
override_homedir = /home/%u
 
# kerberos config
auth_provider = krb5
krb5_server = dc.my.ad.domain
krb5_realm = MY.AD.DOMAIN
# This will probably not work for changing passwords
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True