Configure CentOS7 with SSSD and UW Linux Directory Infrastructure (LDI)

I describe here the setup of CentOS 7 with sssd for login with UW kerberos and LDI.

First you must have your LDI OU created and set up your client cert

The default installation of CentOS7 will incude the packages needed.

Set selinux to ‘permissive’ until you get things working.  After, you can deal with any selinux issues.

Enable sssd and oddjobd so they will be started by systemd at boot time. Start oddjobd so that oddjobd_mkhomedir, invoked from pam, will create the home directory for non-local users upon first login.

systemctl enable sssd
systemctl enable oddjobd
systemctl start oddjobd

You will need to configure sssd before you can start it.

Configure pam to use sssd

/etc/pam.d/system-auth-ac

#%PAM-1.0
auth required pam_env.so debug
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 debug
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
#to auto-create home dir requires oddjobd: 'systemctl enable oddjobd'
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

/etc/pam.d/password-auth

#%PAM-1.0 
#/etc/pam.d/password-auth is included by /etc/pam.d/sshd /etc/pam.d/gdm-password and others 
auth required pam_env.so 
auth sufficient pam_unix.so nullok try_first_pass 
auth requisite pam_succeed_if.so uid >= 1000 quiet_success 
auth sufficient pam_sss.so use_first_pass 
auth required pam_deny.so 
 
account required pam_unix.so 
account sufficient pam_localuser.so 
account sufficient pam_succeed_if.so uid < 1000 quiet 
account [default=bad success=ok user_unknown=ignore] pam_sss.so 
account required pam_permit.so 
 
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

Configure /etc/nsswitch.conf to use sssd.

Check for these service settings in nsswitch.conf and add sss if it is not already set:

passwd: files sss
shadow: files sss
group: files sss

Configure sssd by editing /etc/sssd/sssd.conf.

install your client cert and key in your local filesystem and also the UW CA cert.  Set the paths variables ldap_tls_* in sssd.conf to point to them.

Edit to put your own OU in the ldap_*_base DNs

#Debug log level is set to maximum
# Logs are in /var/log/sssd
[sssd]
debug_level = 0x0400
domains = netid.washington.edu
services = nss, pam
config_file_version = 2

[nss]
debug_level = 0x0400
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[domain/netid.washington.edu]
debug_level = 0x0400
# enumeration will affect performance
#  set true or false depending on the number of users in your LDI OU
enumerate = true
id_provider = ldap
# set min_id to avoid clash between 
#   lowest possible uid from uwnetid domain
#   and highest possible local account uid
min_id = 2001

# Disable for debugging...might enable for production:
cache_credentials = false
entry_cache_timeout = 300

ldap_uri = ldap://ldi.s.uw.edu
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
# These are the Redhat standard paths to cert and key directories
#  Modify if your paths or file names are different
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cert = /etc/pki/tls/certs/ldi-client.crt
ldap_tls_key = /etc/pki/tls/private/ldi-client.key
ldap_sasl_mech = EXTERNAL
# Change 'chem' to your own OU.
ldap_search_base = ou=chem,dc=ldi,dc=uw,dc=edu
ldap_user_search_base = ou=accounts,ou=chem,dc=ldi,dc=uw,dc=edu
ldap_group_search_base = ou=groups,ou=chem,dc=ldi,dc=uw,dc=edu

use_fully_qualified_names = false
fallback_homedir = /home/%u
shell_fallback = /bin/bash

auth_provider = krb5
# external krb5 configuration is not used, all configuration is here:
krb5_realm = NETID.WASHINGTON.EDU
krb5_server = netid.washington.edu

# If you prefer instead to use kerberos settings from /etc/krb5.conf
# then set:
# krb5_use_kdcinfo = false

# /etc/krb5.keytab is not used, unless you want to enable this:
# krb5_validate = true

Start sssd and check status.

systemctl start sssd

Wait a few seconds for startup then issue

systemctl status sssd

If status shows failed, examine your logs in /var/log/sssd.

If status is active (running), then proceed to test login with your netid.

[root@lditest ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
 Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
 Drop-In: /etc/systemd/system/sssd.service.d
 └─journal.conf
 Active: active (running) since Thu 2017-05-18 13:09:24 PDT; 4h 40min ago
 Process: 468 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
 Main PID: 501 (sssd)
 CGroup: /system.slice/sssd.service
 ├─501 /usr/sbin/sssd -D -f
 ├─512 /usr/libexec/sssd/sssd_be --domain netid.washington.edu --uid 0 --gid 0 --de...
 ├─562 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
 └─563 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

May 18 13:09:21 lditest.chem.washington.edu systemd[1]: Starting System Security Services Da....
May 18 13:09:22 lditest.chem.washington.edu sssd[501]: Starting up
May 18 13:09:23 lditest.chem.washington.edu sssd[be[netid.washington.edu]][512]: Starting up
May 18 13:09:23 lditest.chem.washington.edu sssd[pam][563]: Starting up
May 18 13:09:23 lditest.chem.washington.edu sssd[nss][562]: Starting up
May 18 13:09:24 lditest.chem.washington.edu systemd[1]: Started System Security Services Daemon.
Hint: Some lines were ellipsized, use -l to show in full.

Test login with a NetID that you have synchronized to your LDI OU.

Test these three login modalities:

  • gdm (graphical login)
  • local console (do ctrl-alt-f2 to get a text-console login prompt)
  • ssh (remote login)

If login fails, examine your sssd logs and journalctl log.

Configure for production.

Once everything is working, you may want to remove debug logging from sssd.conf and from the pam files, and you may want to set selinux to ‘enforcing’.

Also configure caching for performance. (I usually disable caching for debugging because it tends to confuse.)

Restart services, or reboot.

 


Notes on UW CA Installation

Get the UW Services CA cert here.

Per Redhat convention, install UW CA pem in /etc/pki/ca-trust/source/anchors:

cp UWServicesCA.pem /etc/pki/ca-trust/source/anchors
update-ca-trust extract