sssd

README.md

SSSD Configuration

What I use for Hortonworks HDP (Hadoop) systems, but should work for anyone.

Some configurations are tuned for Active Directory without relying on 'sssd-ad' such that the hosts don't need to join the domain.

Install requirements

sudo yum install sssd sssd-ldap sssd-krb5 sssd-tools authconfig \
  oddjob oddjob-mkhomedir openldap-clients cyrus-sasl-gssapi \
  krb5-workstation

Create keytab for ldap reader

ktutil

## enter these into ktutil
add_entry -password -p user@EXAMPLE.ORG -k 1 -e aes256-cts-hmac-sha1-96
add_entry -password -p user@EXAMPLE.ORG -k 1 -e aes128-cts-hmac-sha1-96
write_kt ldap-user.keytab
q

Put keytab in place

sudo chown root:root ldap-user.keytab
sudo chmod 0400 ldap-user.keytab
sudo mkdir -p /etc/security/keytabs
sudo mv ldap-user.keytab /etc/security/keytabs/

Test keytab and ldapsearch

keytab=/etc/security/keytabs/ldap-user.keytab
export KRB5CCNAME=/tmp/krb5cc_root_temporary
sudo -E kinit -kt ${keytab} $(sudo -E klist -kt ${keytab}| awk '{print $NF}'|tail -1)
sudo -E ldapwhoami
sudo -E kdestroy

Create /etc/sssd/sssd.conf

See sssd.conf in this gist.

Set permissions on sssd.conf

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
sudo restorecon /etc/sssd/sssd.conf

sudo authconfig --savebackup=$HOME/authconfig-backup-before-sssd

## test
sudo authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablecache --enablelocauthorize --disableldap --disableldapauth --disablewinbind --disablenis --disablekrb5 --test

## apply
sudo authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablecache --enablelocauthorize --disableldap --disableldapauth --disablewinbind --disablenis --disablekrb5 --update

## if anything goes wrong use this to rollback all the configs:
#sudo authconfig --restorelastbackup

restart sssd & oddjobd

sudo sssctl cache-expire -E
sudo sssctl logs-remove
sudo sss_cache -E
sudo systemctl stop sssd
sleep 1
sudo rm -f /var/lib/sss/db/*
sudo rm -f /var/lib/sss/mc/*
sleep 1
sudo systemctl start sssd
sudo systemctl restart oddjobd

## verify users and groups
getent passwd | grep example.org

id test-user

getent group|grep ^test-group

## once confirmed working:
sudo systemctl enable sssd
sudo systemctl enable oddjobd

confirm that users/groups are recognized by Hadoop

$ sudo -E hdfs groups test-user
test-user : users test-group test-group2

$ sudo yarn rmadmin -getGroups test-user
test-user : users test-group test-group2

Update ssh to get ssh keys from AD (if they exist)

## Add following to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandRunAs nobody

sudo systemctl restart sshd

sssd.conf

[sssd]
config_file_version = 2
debug_level = 3
domains = EXAMPLE.ORG 
services = nss, pac, pam, ifp, ssh

[nss]
debug_level = 3
filter_users = activity_analyzer,ambari-qa,ams,atlas,chrony,hbase,hcat,hdfs,hive,infra-solr,kafka,kms,knox,livy,mapred,nifi,nifiregistry,ntp,oozie,ranger,registry,root,spark,sqoop,tez,yarn,yarn-ats,zeppelin,zookeeper,filter_groups = hadoop,hbase,hdfs,hive,kafka,kms,knox,livy,mapred,ntp,oozie,ranger,root,spark,sqoop,storm,yarn,zeppelin,zookeeper
filter_groups = chrony,hadoop,hbase,hdfs,hive,kafka,kms,knox,livy,mapred,nifi,nifiregistry,ntp,oozie,ranger,root,spark,sqoop,yarn,zeppelin,zookeeper
shell_fallback = /bin/bash
default_shell = /bin/bash
vetoed_shells = /bin/sh

[pac]
debug_level = 3

[pam]
debug_level = 3

[domain/EXAMPLE.ORG]
debug_level = 3

#------------------------------------------------------------------------
## providers

access_provider = ldap
auth_provider = krb5
chpass_provider = krb5
id_provider = ldap

sudo_provider = none
autofs_provider = none
selinux_provider = none
hostid_provider = none
subdomains_provider = none
session_provider = none

#------------------------------------------------------------------------
## general
default_shell = /bin/bash
enumerate = true
override_gid = 100
override_homedir = /home/%d/%u
create_homedir = true

#------------------------------------------------------------------------
## krb5 connection
krb5_server = ad01.example.org,ad02.example.org
krb5_realm = EXAMPLE.ORG

#------------------------------------------------------------------------
## ldap connection
ldap_uri = ldaps://ad01.example.org,ldaps://ad02.example.org
ldap_sasl_authid = ldap-user@EXAMPLE.ORG

#------------------------------------------------------------------------
## ldap general
ldap_krb5_keytab = /etc/security/keytabs/ldap-user.keytab
ldap_sasl_mech = GSSAPI
ldap_id_use_start_tls = true

#------------------------------------------------------------------------
## identity_provider:
ldap_search_base = OU=mytestcluster,DC=example,DC=org
ldap_group_search_base = DC=example,DC=com?subtree?(|(memberOf=CN=hadoop-groups,OU=mytestcluster,DC=example,DC=org))
ldap_user_search_base = DC=example,DC=com?subtree?(|(memberOf=CN=hadoop-users,OU=mytestcluster,DC=example,DC=org))

#------------------------------------------------------------------------
## access_provider:
ldap_access_filter = (memberOf=CN=hadoop-admins,OU=mytestcluster,DC=example,DC=org)
ldap_access_order = filter, expire

ldap_user_ssh_public_key = sshPublicKey

#------------------------------------------------------------------------
## active directory defaults: to match behaviour of sssd-ad
dns_discovery_domain = example.org
case_sensitive = false
krb5_use_enterprise_principal = true
krb5_validate = true
ldap_schema = ad
ldap_use_tokengroups = false
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_groups_use_matching_rule_in_chain = true
ldap_id_mapping = true
ldap_idmap_range_size = 2000000
ldap_initgroups_use_matching_rule_in_chain = true
ldap_referrals = false
ldap_user_principal = userPrincipalName
ldap_group_nesting_level = 5