SSSD (System Security Services Daemon) allows Linux systems (specifically, Red Hat, CentOS, and Fedora) to verify identity and authenticate against remote resources. If you have a CentOS or Red Hat enterprise system, and you need to authenticate against a domain controller such as FreeIPA or Active Directory, SSSD is the way to go. I use SSSD on CentOS 7 systems, but it is now available on CentOS 6 as well. A few years ago, adclient (an open-source project from Centrify) was your only option to make a CentOS 6 server authenticate against Active Directory. adclient seems to have reached end of life, so SSSD is definitely the path forward.
I won’t repeat the procedure for using Active Directory as an identity provider on a Red Hat 7 system. Instead, I want to provide a few troubleshooting tips, since limited information is available on SSSD and related tools.
You can increase the verbosity of output from SSSD by setting the debug_level=N directive in /etc/sssd/sssd.conf. N is a number from 1 to 10. You must put this directive in EACH section of the config file.
Let’s re-join the realm, with verbose output:
realm list realm leave mydomain.local realm join --verbose --user=bobsmith mydomain.local
If you’ve joined successfully, you should be able to get information on a domain user:
getent passwd email@example.com
Now, Bob tries to log in with:
However, Bob can’t log in, and the following errors appear in /var/log/secure:
Mar 9 18:36:12 linux-host-01 sshd: Invalid user bobsmith from 184.108.40.206 Mar 9 18:36:12 linux-host-01 sshd: input_userauth_request: invalid user bobsmith [preauth] Mar 9 18:36:16 linux-host-01 sshd: Failed password for invalid user bobsmith from 220.127.116.11 port 55972 ssh2 Mar 9 18:36:18 linux-host-01 sshd: Connection closed by 18.104.22.168 [preauth]
What’s going on? Go back to the information that you got from the getent command. Note that the system thinks the user is named firstname.lastname@example.org, but he’s logging in without specifying the domain! Bob should be able to log in with:
That’s annoying, and his home directory name will be email@example.com. The solution is to add the following lines to /etc/sssd/sssd.conf so that user names don’t require a FQDN:
use_fully_qualified_names = False fallback_homedir = /home/%u
# Get a Kerberos ticket from AD kinit bobsmith@MYDOMAIN.LOCAL # Show the ticket klist # Show keys in a keytab file klist -kt /etc/krb5.keytab
The keys should resemble this:
KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 03/10/2016 11:33:14 host/linux-host-01.mydomain.local@MYDOMAIN.LOCAL 3 03/10/2016 11:33:14 host/linux-host-01@MYDOMAIN.LOCAL