SSSD-AD(5) NAME sssd-ad - Active Directory SSSD AD sssd(8). , << >> sssd.conf(5). AD , ' Active Directory. , ' AD . GSSAPI. AD SSL/TLS, Kerberos. AD ' Active Directory 2008 R2 . , . AD . . . AD SSSD sssd- ldap(5) sssd-krb5(5) Active Directory. AD , sssd-ldap sssd-krb5, . , ' . AD ldap krb5 . " ". AD , (sudo) autofs. . sssdconf "auth_provider=ad" "access_provider=ad", id_provider "ad". , AD ' UID GID objectSID Active Directory. << >>. POSIX, Active Directory, ldap_id_mapping = False POSIX, . POSIX, SSSD . , POSIX , SSSD . , , "cache_first". , POSIX, LDAP . , , SSSD, AD Active Directory LDAP. SSSD Active Directory. AD, Active Directory[1] SSSD AD. , , , . Active Directory, PAC Kerberos , Active Directory. << >> (man) sssd.conf(5), SSSD. ad_domain () Active Directory. '. , . Active Directory. ( NetBIOS ) SSSD. ad_enabled_domains () A comma-separated list of enabled Active Directory domains. If provided, SSSD will ignore any domains not listed in this option. If left unset, all discovered domains from the AD forest will be available. During the discovery of the domains SSSD will filter out some domains where flags or attributes indicate that they do not belong to the local forest or are not trusted. If ad_enabled_domains is set, SSSD will try to enable all listed domains. Active Directory. : ad_enabled_domains = sales.example.com, eng.example.com ( NetBIOS ) SSSD. : ad_server, ad_backup_server () AD, , SSSD ' . , "". ', . << >>. : , ad_server. ad_hostname () '. , hostname(5) , sssd . , . DNS. , . ad_enable_dns_sites ( ) DNS -- . true (. (man)), SSSD Active Directory ' Active Directory SRV DNS, AD . SRV DNS, , . : true ad_access_filter () LDAP, , . , , <> <>, . . : << ::>>. : <>, <> . <> , <<>> , . <>, , <<>>. <>, . OID ":1.2.840.113556.1.4.1941:", DOM:domain.example.org:, , ' OID. OID, . , , , OID: [MS-ADTS] LDAP[2] . , , , , . , . : # dom1: dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) # dom2: DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) # EXAMPLE.COM: FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) # dom1: DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) : ad_site () AD, ' . , AD. : ad_enable_gc ( ) , SSSD () ' (Global Catalog). , LDAP . , SSSD ' LDAP AD. , , (Global Catalog) () . SSSD LDAP . , (Global Catalog) ' . : true ad_gpo_access_control () GPO: , . , , , , <> <>. GPO GPO , . , "ad_gpo_map". , , SSSD Active Directory GPO ( Administrators SID S-1-5-32-544) SSSD . . https://pagure.io/SSSD/sssd/issue/5063 . SSSD GPO. GPO, ' . GPO , , , GPO: o Read: GPO (RIGHT_DS_READ_PROPERTY) o Apply Group Policy: GPO (RIGHT_DS_CONTROL_ACCESS). , GPO Authenticated Users, Read Apply Group Policy. GPO , Authenticated Users GPO. : <<>> (enforcing), , , , ( GPO). (permissive), . , . (enforcing). GPO <> (. sssctl(8)). : o disabled: , GPO, . o enforcing: , GPO, . o permissive: GPO, . , , , enforcing. : enforcing ad_gpo_implicit_deny ( ) , GPO, . True, , GPO. , . , , Administrators, GPO, . : False , , , ad_gpo_implicit_deny. +--------------------------------------------------------------+ |ad_gpo_implicit_deny = False ( | |) | +------------+------------+------------------------------------+ |allow-rules | deny-rules | | +------------+------------+------------------------------------+ | missing | missing | | | | | | | | | | +------------+------------+------------------------------------+ | missing | present | | | | | | | | | , | | | | | | | | deny-rules | +------------+------------+------------------------------------+ | present | missing | | | | | | | | | , | | | | allow-rules | +------------+------------+------------------------------------+ | present | present | | | | | | | | | , | | | | allow-rules | | | | | | | | deny-rules | +------------+------------+------------------------------------+ +----------------------------------------------------------------+ | ad_gpo_implicit_deny = True | +------------+------------+--------------------------------------+ |allow-rules | deny-rules | | +------------+------------+--------------------------------------+ | missing | missing | | | | | | | | | | +------------+------------+--------------------------------------+ | missing | present | | | | | | | | | | +------------+------------+--------------------------------------+ | present | missing | | | | | | | | | , | | | | allow-rules | +------------+------------+--------------------------------------+ | present | present | | | | | | | | | , | | | | allow-rules | | | | | | | | deny-rules | +------------+------------+--------------------------------------+ ad_gpo_ignore_unreadable ( ) , (' AD) ' SSSD, . ' , SSSD. : False ad_gpo_cache_timeout ( ) GPO AD. AD, . : 5 () ad_gpo_map_interactive () PAM, , GPO InteractiveLogonRight DenyInteractiveLogonRight. GPO, Read Apply Group Policy (. "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM <<+_>> PAM <<-_>>. , PAM (, <>) pam (, <>), : ad_gpo_map_interactive = +my_pam_service, -login : PAM : o login o su o su-l o gdm-fingerprint o gdm-password o gdm-smartcard o kdm o lightdm o lxdm o sddm o unity o xdm ad_gpo_map_remote_interactive () PAM, , GPO RemoteInteractiveLogonRight DenyRemoteInteractiveLogonRight. GPO, Read Apply Group Policy (. "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM <<+_>> PAM <<-_>>. , PAM (, <>) pam (, <>), : ad_gpo_map_remote_interactive = +my_pam_service, -sshd : PAM : o sshd o cockpit ad_gpo_map_network () PAM, , GPO NetworkLogonRight DenyNetworkLogonRight. GPO, Read Apply Group Policy (. "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << ' >> (<>) << ' >> (Deny access to this computer from the network>>). PAM <<+_>> PAM <<-_>>. , PAM (, <>) pam (, <>), : ad_gpo_map_network = +my_pam_service, -ftp : PAM : o ftp o samba ad_gpo_map_batch () PAM, , GPO BatchLogonRight DenyBatchLogonRight. GPO, Read Apply Group Policy (. "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM <<+_>> PAM <<-_>>. , PAM (, <>) pam (, <>), : ad_gpo_map_batch = +my_pam_service, -crond : cron Linux . : PAM : o crond ad_gpo_map_service () PAM, , GPO ServiceLogonRight DenyServiceLogonRight. GPO, Read Apply Group Policy (. "ad_gpo_access_control"). GPO , . GPO , . GPO , , . : << >> (<>) << >> (<>). PAM <<+_>>. , PAM . , PAM (, <>), : ad_gpo_map_service = +my_pam_service : not set ad_gpo_map_permit () PAM, , GPO, - GPO. PAM <<+_>> PAM <<-_>>. , PAM (, <>) pam (, <>), : ad_gpo_map_permit = +my_pam_service, -sudo : PAM : o polkit-1 o sudo o sudo-i o systemd-user ad_gpo_map_deny () PAM, , GPO, - GPO. PAM <<+_>>. , PAM . , PAM (, <>), : ad_gpo_map_deny = +my_pam_service : not set ad_gpo_default_right () PAM, ad_gpo_map_*. . -, , . , <>, ' PAM InteractiveLogonRight DenyInteractiveLogonRight. , , ' PAM. : o interactive o remote_interactive o network o batch o service o permit o deny : deny ad_maximum_machine_account_password_age ( ) SSSD , ' , , . 0 . : 30 ad_machine_account_password_renewal_opts () '. , (<<:>>). . -- . : 86400:750 (24 15 ) ad_update_samba_machine_account_password ( ) , SSSD ' Samba. Samba, AD . : false ad_use_ldaps ( ) , SSSD LDAP 389 Global Catalog 3628. True, SSSD LDAPS 636 Global Catalog 3629 LDAPS. AD ', SASL/GSSAPI SASL/GSS-SPNEGO , SASL maxssf ' 0 (). : False ad_allow_remote_domain_local_groups ( ) "true", SSSD AD. , , , . , AD Linux. , , "true" Active Directory, . , , . POSIX, Linux . Active Directory, PAC Kerberos , tokenGroups, . , "true", tokenGroups "ldap_use_tokengroups" "false" . , "ad_enable_gc" "false". , , "ldap_group_nesting_level", . : False dyndns_update ( ) '. SSSD IP- DNS Active Directory. GSS-TSIG. , Active Directory DNS. IP- ' LDAP AD, <>. : ( RHEL 5) Kerberos /etc/krb5.conf : true dyndns_ttl ( ) TTL, DNS . dyndns_update false, . TTL , . : 3600 () dyndns_iface () '. , dyndns_update true. , IP- DNS. "*" , IP- . : IP- , ' LDAP AD : dyndns_iface = em1, vnet1, vnet2 dyndns_refresh_interval ( ) , DNS , ' . ', , dyndns_update true. , 60 . , 60, . : 86400 (24 ) dyndns_update_ptr ( ) , PTR DNS . , dyndns_update true. Note that dyndns_update_per_family parameter does not apply for PTR record updates. Those updates are always sent separately. : True dyndns_force_tcp ( ) , nsupdate TCP DNS. : False ( nsupdate ) dyndns_auth () , nsupdate GSS-TSIG DNS, <>. : GSS-TSIG dyndns_auth_ptr () , nsupdate GSS-TSIG PTR DNS, <>. : , dyndns_auth dyndns_server () DNS, DNS. . , DNS . , , , . : ( nsupdate ) dyndns_update_per_family ( ) DNS, , -- IPv4, IPv6. IPv4 IPv6 . : true override_homedir () . . : %u ' %U UID %d %f ' (@) %l . %P UPN - User Principal Name ('@) %o , . %h , , . %H homedir_substring. %% (<<%>>) . : override_homedir = /home/%u : (SSSD , LDAP) , , , (. sss_override(8)) IPA, , , override_homedir. homedir_substring () override_homedir, %H. LDAP ' ( ). [nss]. , , , [nss]. : /home krb5_confd_path () , SSSD Kerberos. , <>. : ( krb5.include.d pubconf SSSD) . AD : KRB5 o krb5_validate = true o krb5_use_enterprise_principal = true LDAP o ldap_schema = ad o ldap_force_upper_case_realm = true o ldap_id_mapping = true o ldap_sasl_mech = GSS-SPNEGO o ldap_referrals = false o ldap_account_expire_policy = ad o ldap_use_tokengroups = true o ldap_sasl_authid = sAMAccountName@ ( SHORTNAME$@) AD , LDAP, Active Directory -- . TGT , ' ' sAMAccountName AD. host/hostname@REALM , TGT. NSS o fallback_homedir = /home/%d/%u AD <> homeDirectory. AD Posix , <>. , /home/%u. , . , selinux selinux, selinux. , ' . , . . . - . : . , , , ' . , 31 . SSSD ' . , . ' . '. , ' ' . ' ' . , ' '. ' , , . ' ' , . ' ' , , , . 30 . ' , ' 30 . ' DNS , , . , SSSD . SSSD , ' , . . , sssd.conf(5). dns_resolver_server_timeout , SSSD DNS, ' . : 1000 dns_resolver_op_timeout , , SSSD DNS ( SRV), . : 3 dns_resolver_timeout SSSD . , DNS SRV . : 6 LDAP ' LDAP. "ldap_opt_timeout" , "dns_resolver_timeout", "dns_resolver_op_timeout", "dns_resolver_server_timeout". ' , DNS. . , . , . , <<_srv_>>, . . , , , , , , DNS . <> (man) sssd.conf(5). _tcp. . RFC 2782. SSSD Active Directory POSIX . : , uidNumber gidNumber . . , . , , , ' , . SSSD , , SSSD. , , , . . sss_cache(8), : o , . o SSSD o o SSSD , , , . Active Directory objectSID ' . objectSID , Active Directory (RID) ' . SSSD UID , <<>>. , Active Directory. SSSD , SSSD . , : SID murmurhash3 32- . . : . , ' ( , ). , POSIX Active Directory ( ) , . <<>>. ( "[domain/_]"): ldap_id_mapping = True ldap_schema = ad 10000 , 200000 , 2000000 2000200000. . ldap_idmap_range_min ( ) () POSIX, SID Active Directory. POSIX, '. : "min_id" , "min_id" , . , "min_id" "ldap_idmap_range_min" : 200000 ldap_idmap_range_max ( ) () POSIX, SID Active Directory. POSIX, ', , , '. : "max_id" , "max_id" , . , "max_id" "ldap_idmap_range_max" : 2000200000 ldap_idmap_range_size ( ) . , . : RID Active Directory. - RID, , . : Active Directory objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, <> , 1108, SID SID 1. (, 1108 = 1107 - 0 + 1). , ' , . : 200000 ldap_idmap_default_domain_sid () SID . , murmurhash . : not set ldap_idmap_default_domain () . : not set ldap_idmap_autorid_compat ( ) , "idmap_autorid" winbind. When this option is configured, domains will be allocated starting with slice zero and increasing monotonically with each additional domain. : ( ). , winbind, , "ldap_idmap_default_domain_sid" . : False ldap_idmap_helper_table_size ( ) , ' UNIX SID. : ' SID UNIX , RID SID . ldap_idmap_helper_table_size 0, . : 10 SID SSSD (Well-Known) SID, SID . , ' SID Linux/UNIX, POSIX ' . SID , . (Well-Known) SID o (Null Authority) o (World Authority) o (Local Authority) o (Creator Authority) o ' o o NT (NT Authority) o (Built-in) (Well-Known) SID. SID , , SSSD SID . , (Well-Known) SID . , sssd.conf : <>, <>, <>, <>, <>, <>, <> <>. , SSSD , example.com [sssd]. , AD. [domain/EXAMPLE] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = dc1.example.com ad_hostname = client.example.com ad_domain = example.com AD , . , LDAP: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad , <>, <>. , , , <>, ' ( LDAP ) . autofs "ad", ' RFC2307 (nisMap, nisObject, ...), Active Directory. sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS SSSD -- https://pagure.io/SSSD/sssd/ NOTES 1. Active Directory https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/manage/understand-security-groups 2. [MS-ADTS] LDAP https://msdn.microsoft.com/en-us/library/cc223367.aspx SSSD 04/09/2024 SSSD-AD(5)