SSSD-AD(5) NAME sssd-ad - Active Directory SSSD AD sssd(8). " " sssd.conf(5). AD -- , Active Directory. , AD . GSSAPI. AD SSL/TLS, Kerberos . AD Active Directory 2008 R2 . , . AD . , . , . AD SSSD sssd-ldap(5) sssd-krb5(5) Active Directory. AD , sssd-ldap sssd-krb5 providers, . , . AD ldap krb5, . " ". AD , chpass, sudo autofs. . sssd.conf "auth_provider=ad" "access_provider=ad", id_provider "ad". AD UID GID objectSID Active Directory. " " . POSIX, Active Directory, ldap_id_mapping = False POSIX, . POSIX , SSSD . POSIX , SSSD . , "cache_first". , POSIX, LDAP . , , SSSD, AD LDAP Active Directory. SSSD Active Directory. AD . Active Directory[1] SSSD AD. (, ), . Active Directory, PAC Kerberos , Active Directory. SSSD " " sssd.conf(5). ad_domain () Active Directory. . , . Active Directory . ( NetBIOS ) SSSD. ad_enabled_domains () A comma-separated list of enabled Active Directory domains. If provided, SSSD will ignore any domains not listed in this option. If left unset, all discovered domains from the AD forest will be available. During the discovery of the domains SSSD will filter out some domains where flags or attributes indicate that they do not belong to the local forest or are not trusted. If ad_enabled_domains is set, SSSD will try to enable all listed domains. Active Directory. : ad_enabled_domains = sales.example.com, eng.example.com ( NetBIOS ) SSSD. : ad_server, ad_backup_server () AD, SSSD . " ". , . " ". : , ad_server . ad_hostname () . , hostname(5) , sssd . , . - DNS. , . ad_enable_dns_sites ( ) DNS -- . <> ( ), SSSD Active Directory, , Active Directory, , AD , SRV DNS. SRV DNS, , . : true ad_access_filter () LDAP, . , , "access_provider" "ad". . : "KEYWORD:NAME:FILTER". "DOM" "FOREST", . "DOM" , "NAME" , . "FOREST", , "NAME". "?", . OID ":1.2.840.113556.1.4.1941:" DOM:domain.example.org:, , OID. OID . , OID Active Directory MS, LDAP[2] . , , , , . , . : # dom1: dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) # dom2: DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) # EXAMPLE.COM: FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) # dom1: DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) : ad_site () AD, . , AD . : ad_enable_gc ( ) SSSD , LDAP . , SSSD LDAP AD. , . SSSD LDAP . , . : true ad_gpo_access_control () GPO: , . , "access_provider" "ad". GPO GPO , . "ad_gpo_map". , SSSD Active Directory. (, Administrators SID S-1-5-32-544) GPO SSSD. : https://github.com/SSSD/sssd/issues/5063 . SSSD GPO . GPO, . GPO , , , GPO: o Read: GPO (RIGHT_DS_READ_PROPERTY) o Apply Group Policy: GPO (RIGHT_DS_CONTROL_ACCESS). GPO Authenticated Users. Read, Apply Group Policy. , GPO, Authenticated Users GPO. : , , , , ( GPO). , : . . , , . GPO << >> (. sssctl(8)). : o disabled: GPO, . o enforcing: GPO . o permissive: GPO, . , , , . : enforcing ad_gpo_implicit_deny ( ) , GPO . <>, , GPO. . , : , Administrators, GPO. : false , , , ad_gpo_implicit_deny. +-------------------------------------------------------------------------------------------------------------------------+ | ad_gpo_implicit_deny = False ( ) | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | | | | , | | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | | | | , | | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | | | | , | | | | | | | | | | | | | | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ +-------------------------------------------------------------------------------------------------------------------------+ | ad_gpo_implicit_deny = True | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | | | | , | | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ | | | | | | | | | | | | | | | , | | | | | | | | | | | | | | | | | | | | | | | | | +-------------------------------------+--------------------------------------+--------------------------------------------+ ad_gpo_ignore_unreadable ( ) , ( AD) SSSD. , , SSSD. : false ad_gpo_cache_timeout ( ) GPO AD. AD, . : 5 () ad_gpo_map_interactive () PAM, GPO InteractiveLogonRight DenyInteractiveLogonRight. GPO, Read Apply Group Policy ( "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM "+service_name". PAM "-service_name". , PAM (, "login") PAM (, "my_pam_service"), : ad_gpo_map_interactive = +my_pam_service, -login : PAM : o login o su o su-l o gdm-fingerprint o gdm-password o gdm-smartcard o kdm o lightdm o lxdm o sddm o unity o xdm ad_gpo_map_remote_interactive () PAM, GPO RemoteInteractiveLogonRight DenyRemoteInteractiveLogonRight. GPO, Read Apply Group Policy ( "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM "+service_name". PAM "-service_name". , PAM (, "sshd") PAM (, "my_pam_service"), : ad_gpo_map_remote_interactive = +my_pam_service, -sshd : PAM : o sshd o cockpit ad_gpo_map_network () PAM, GPO NetworkLogonRight DenyNetworkLogonRight. GPO, Read Apply Group Policy ( "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM "+service_name". PAM "-service_name". , PAM (, "ftp") PAM (, "my_pam_service"), : ad_gpo_map_network = +my_pam_service, -ftp : PAM : o ftp o samba ad_gpo_map_batch () PAM, GPO BatchLogonRight DenyBatchLogonRight. GPO, Read Apply Group Policy ( "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM "+service_name". PAM "-service_name". , PAM (, "crond") PAM (, "my_pam_service"), : ad_gpo_map_batch = +my_pam_service, -crond : cron Linux. : PAM : o crond ad_gpo_map_service () PAM, GPO ServiceLogonRight DenyServiceLogonRight. GPO, Read Apply Group Policy ( "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM "+service_name". , PAM. , PAM (, "my_pam_service"), : ad_gpo_map_service = +my_pam_service : ad_gpo_map_permit () PAM, GPO, GPO. PAM "+service_name". PAM "-service_name". , PAM (, "sudo") PAM (, "my_pam_service"), : ad_gpo_map_permit = +my_pam_service, -sudo : PAM : o polkit-1 o sudo o sudo-i o systemd-user ad_gpo_map_deny () PAM, GPO, GPO. PAM "+service_name". , PAM. , PAM (, "my_pam_service"), : ad_gpo_map_deny = +my_pam_service : ad_gpo_default_right () , PAM, ad_gpo_map_*. . : . , <> , PAM InteractiveLogonRight DenyInteractiveLogonRight. : PAM. : o interactive o remote_interactive o network o batch o service o permit o deny : deny ad_maximum_machine_account_password_age ( ) SSSD , ( ) , . <<0>> . : 30 ad_machine_account_password_renewal_opts () . 2 , (<<:>>). ( ) . - ( ) . : 86400:750 (24 15 ) ad_update_samba_machine_account_password ( ) , SSSD , Samba. Samba, AD . : false ad_use_ldaps ( ) SSSD LDAP 389 3628. <>, SSSD LDAPS 636 3629 LDAPS. AD SASL/GSSAPI SASL/GSS-SPNEGO , SASL maxssf <<0>> (). : false ad_allow_remote_domain_local_groups ( ) "true", SSSD , , AD. (, ), . , AD Linux. , "true" Active Directory . , , , , . POSIX, Linux -- . Active Directory : PAC Kerberos tokenGroups , . , "true" tokenGroups "ldap_use_tokengroups" "false" . , "ad_enable_gc" "false". , , "ldap_group_nesting_level", , , . : false dyndns_update ( ) . SSSD DNS Active Directory IP- . GSS-TSIG. , Active Directory DNS. IP- LDAP- AD, "dyndns_iface" . : (, RHEL 5) Kerberos /etc/krb5.conf : true dyndns_ttl ( ) TTL, DNS . dyndns_update <>, . TTL , . : 3600 () dyndns_iface () . , dyndns_update <>. , IP- DNS. "*" , IP- . : IP- , LDAP AD : dyndns_iface = em1, vnet1, vnet2 dyndns_refresh_interval ( ) DNS , . , dyndns_update <>. , 60 : , (60 ). : 86400 (24 ) dyndns_update_ptr ( ) PTR DNS . , dyndns_update <>. Note that dyndns_update_per_family parameter does not apply for PTR record updates. Those updates are always sent separately. : true dyndns_force_tcp ( ) nsupdate TCP DNS. : false ( nsupdate ) dyndns_auth () nsupdate GSS-TSIG DNS. , <>. : GSS-TSIG dyndns_auth_ptr () nsupdate GSS-TSIG PTR DNS. , <>. : , dyndns_auth dyndns_server () DNS, DNS. . , DNS . , , , . : none ( nsupdate ) dyndns_update_per_family ( ) DNS : IPv4, IPv4. IPv4 IPv6 . : true override_homedir () . , . : %u %U UID %d %f (user@domain) %l . %P UPN -- - (name@REALM) %o , . %h , , . %H homedir_substring. %% <<%>> . : override_homedir = /home/%u : (SSSD , LDAP) , , (. sss_override(8)) IPA, , override_homedir. homedir_substring () override_homedir, %H. LDAP , ( ). [nss]. , , , [nss]. : /home krb5_confd_path () , SSSD Kerberos. , <>. : ( krb5.include.d pubconf SSSD) . AD : KRB5 o krb5_validate = true o krb5_use_enterprise_principal = true LDAP o ldap_schema = ad o ldap_force_upper_case_realm = true o ldap_id_mapping = true o ldap_sasl_mech = GSS-SPNEGO o ldap_referrals = false o ldap_account_expire_policy = ad o ldap_use_tokengroups = true o ldap_sasl_authid = sAMAccountName@REALM ( SHORTNAME$@REALM) AD , LDAP, Active Directory : - -. TGT -, -- sAMAccountName AD. host/hostname@REALM - , , TGT. NSS o fallback_homedir = /home/%d/%u AD <>, homeDirectory. AD POSIX , <>. : , /home/%u. , . , SELinux SELinux; SELinux. . ; . . . : (primary) (backup). , , , . , 31- -. SSSD . , () . . ; , . . , . , , . , . , , , ; 30 . , 30 . - , , DNS, , , , . , SSSD . SSSD , , -. . sssd.conf(5). dns_resolver_server_timeout ( ), SSSD DNS . : 1000 dns_resolver_op_timeout ( ), SSSD DNS (, SRV) . : 3 dns_resolver_timeout SSSD . , , SRV DNS . : 6 LDAP LDAP-. , - "ldap_opt_timeout" , "dns_resolver_timeout", , , , "dns_resolver_op_timeout", "dns_resolver_server_timeout". , , DNS. . , , . () , , "_srv_". . , , , , , DNS. "dns_discovery_domain" sssd.conf(5). _tcp. . . RFC 2782. SSSD Active Directory, POSIX . : , uidNumber gidNumber . , , , . , , . , , , . SSSD , SSSD . , , ; . . sss_cache(8), : o o SSSD o o SSSD , , , . Active Directory objectSID . objectSID , Active Directory (RID) . SSSD UID -- <<>>. , Active Directory. SSSD , SSSD . , : SID murmurhash3 32- . . : . , ( , , ). POSIX Active Directory ( ), , . . "". ( "[domain/DOMAINNAME]"): ldap_id_mapping = True ldap_schema = ad 10000 , 200000 , 200000 2000200000. . ldap_idmap_range_min ( ) () POSIX, SID Active Directory. POSIX, . : "min_id": "min_id" , . , "min_id" "ldap_idmap_range_min" : 200000 ldap_idmap_range_max ( ) ( ) POSIX, SID Active Directory. POSIX, , .. , . : "max_id": "max_id" , . , "max_id" "ldap_idmap_range_max" : 2000200000 ldap_idmap_range_size ( ) , . , , . : RID , Active Directory. , RID . , Active Directory objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, "ldap_idmap_range_size" 1108, SID SID (.. 1108 = 1107 - 0 + 1). , , , . : 200000 ldap_idmap_default_domain_sid () SID . , , murmurhash. : ldap_idmap_default_domain () . : ldap_idmap_autorid_compat ( ) , "idmap_autorid" winbind. When this option is configured, domains will be allocated starting with slice zero and increasing monotonically with each additional domain. : ( , ). , winbind, "ldap_idmap_default_domain_sid", . : false ldap_idmap_helper_table_size ( ) , UNIX SID. : , SID UNIX RID SID . ldap_idmap_helper_table_size , . : 10 SID SSSD SID, SID . , SID, Linux/UNIX, POSIX. SID , . SID o Null Authority o World Authority o Local Authority o Creator Authority o Mandatory Label Authority o Authentication Authority o NT Authority o Built-in SID. SID , SID, SSSD SID . , SID . , sssd.conf : "NULL AUTHORITY", "WORLD AUTHORITY", " LOCAL AUTHORITY", "CREATOR AUTHORITY", "MANDATORY LABEL AUTHORITY", "AUTHENTICATION AUTHORITY", "NT AUTHORITY" "BUILTIN". , SSSD example.com -- [sssd]. , AD. [domain/EXAMPLE] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = dc1.example.com ad_hostname = client.example.com ad_domain = example.com AD , . , LDAP: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad , "ad" , "permit". , , "ad", , URI LDAP . autofs "ad", RFC2307 (nisMap, nisObject, ...), Active Directory. . sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ NOTES 1. Active Directory https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/understand-security-groups 2. Active Directory MS, LDAP https://msdn.microsoft.com/en-us/library/cc223367.aspx SSSD 04/09/2024 SSSD-AD(5)