1SSSD-AD(5) File Formats and Conventions SSSD-AD(5)
2
6 sssd-ad - SSSD Active Directory provider
7
9 This manual page describes the configuration of the AD provider for
10 sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11 section of the sssd.conf(5) manual page.
12 The AD provider is a back end used to connect to an Active Directory
14 server. This provider requires that the machine be joined to the AD
15 domain and a keytab is available. Back end communication occurs over a
16 GSSAPI-encrypted channel, SSL/TLS options should not be used with the
17 AD provider and will be superseded by Kerberos usage.
18 The AD provider supports connecting to Active Directory 2008 R2 or
20 later. Earlier versions may work, but are unsupported.
21 The AD provider can be used to get user information and authenticate
23 users from trusted domains. Currently only trusted domains in the same
24 forest are recognized. In addition servers from trusted domains are
25 always auto-discovered.
26 The AD provider enables SSSD to use the sssd-ldap(5) identity provider
28 and the sssd-krb5(5) authentication provider with optimizations for
29 Active Directory environments. The AD provider accepts the same options
30 used by the sssd-ldap and sssd-krb5 providers with some exceptions.
31 However, it is neither necessary nor recommended to set these options.
32 The AD provider primarily copies the traditional ldap and krb5 provider
34 default options with some exceptions, the differences are listed in the
35 “MODIFIED DEFAULT OPTIONS” section.
36 The AD provider can also be used as an access, chpass, sudo and autofs
38 provider. No configuration of the access provider is required on the
39 client side.
40 If “auth_provider=ad” or “access_provider=ad” is configured in
42 sssd.conf then the id_provider must also be set to “ad”.
43 By default, the AD provider will map UID and GID values from the
45 objectSID parameter in Active Directory. For details on this, see the
46 “ID MAPPING” section below. If you want to disable ID mapping and
47 instead rely on POSIX attributes defined in Active Directory, you
48 should set
49 ldap_id_mapping = False
51 If POSIX attributes should be used, it is recommended for performance
54 reasons that the attributes are also replicated to the Global Catalog.
55 If POSIX attributes are replicated, SSSD will attempt to locate the
56 domain of a requested numerical ID with the help of the Global Catalog
57 and only search that domain. In contrast, if POSIX attributes are not
58 replicated to the Global Catalog, SSSD must search all the domains in
59 the forest sequentially. Please note that the “cache_first” option
60 might be also helpful in speeding up domainless searches. Note that if
61 only a subset of POSIX attributes is present in the Global Catalog, the
62 non-replicated attributes are currently not read from the LDAP port.
63 Users, groups and other entities served by SSSD are always treated as
65 case-insensitive in the AD provider for compatibility with Active
66 Directory's LDAP implementation.
67
69 Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
70 for details on the configuration of an SSSD domain.
71 ad_domain (string)
73 Specifies the name of the Active Directory domain. This is
74 optional. If not provided, the configuration domain name is used.
75 For proper operation, this option should be specified as the
77 lower-case version of the long version of the Active Directory
78 domain.
79 The short domain name (also known as the NetBIOS or the flat name)
81 is autodetected by the SSSD.
82 ad_enabled_domains (string)
84 A comma-separated list of enabled Active Directory domains. If
85 provided, SSSD will ignore any domains not listed in this option.
86 If left unset, all domains from the AD forest will be available.
87 For proper operation, this option must be specified in all
89 lower-case and as the fully qualified domain name of the Active
90 Directory domain. For example:
91 ad_enabled_domains = sales.example.com, eng.example.com
93 The short domain name (also known as the NetBIOS or the flat name)
96 will be autodetected by SSSD.
97 Default: Not set
99 ad_server, ad_backup_server (string)
101 The comma-separated list of hostnames of the AD servers to which
102 SSSD should connect in order of preference. For more information on
103 failover and server redundancy, see the “FAILOVER” section.
104 This is optional if autodiscovery is enabled. For more information
106 on service discovery, refer to the “SERVICE DISCOVERY” section.
107 Note: Trusted domains will always auto-discover servers even if the
109 primary server is explicitly defined in the ad_server option.
110 ad_hostname (string)
112 Optional. May be set on machines where the hostname(5) does not
113 reflect the fully qualified name used in the Active Directory
114 domain to identify this host.
115 This field is used to determine the host principal in use in the
117 keytab. It must match the hostname for which the keytab was issued.
118 ad_enable_dns_sites (boolean)
120 Enables DNS sites - location based service discovery.
121 If true and service discovery (see Service Discovery paragraph at
123 the bottom of the man page) is enabled, the SSSD will first attempt
124 to discover the Active Directory server to connect to using the
125 Active Directory Site Discovery and fall back to the DNS SRV
126 records if no AD site is found. The DNS SRV configuration,
127 including the discovery domain, is used during site discovery as
128 well.
129 Default: true
131 ad_access_filter (string)
133 This option specifies LDAP access control filter that the user must
134 match in order to be allowed access. Please note that the
135 “access_provider” option must be explicitly set to “ad” in order
136 for this option to have an effect.
137 The option also supports specifying different filters per domain or
139 forest. This extended filter would consist of:
140 “KEYWORD:NAME:FILTER”. The keyword can be either “DOM”, “FOREST” or
141 missing.
142 If the keyword equals to “DOM” or is missing, then “NAME” specifies
144 the domain or subdomain the filter applies to. If the keyword
145 equals to “FOREST”, then the filter equals to all domains from the
146 forest specified by “NAME”.
147 Multiple filters can be separated with the “?” character,
149 similarly to how search bases work.
150 Nested group membership must be searched for using a special OID
152 “:1.2.840.113556.1.4.1941:” in addition to the full
153 DOM:domain.example.org: syntax to ensure the parser does not
154 attempt to interpret the colon characters associated with the OID.
155 If you do not use this OID then nested group membership will not be
156 resolved. See usage example below and refer here for further
157 information about the OID: [MS-ADTS] section LDAP extensions[1]
158 The most specific match is always used. For example, if the option
160 specified filter for a domain the user is a member of and a global
161 filter, the per-domain filter would be applied. If there are more
162 matches with the same specification, the first one is used.
163 Examples:
165 # apply filter on domain called dom1 only:
167 dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
168 # apply filter on domain called dom2 only:
170 DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
171 # apply filter on forest called EXAMPLE.COM only:
173 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
174 # apply filter for a member of a nested group in dom1:
176 DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
177 Default: Not set
180 ad_site (string)
182 Specify AD site to which client should try to connect. If this
183 option is not provided, the AD site will be auto-discovered.
184 Default: Not set
186 ad_enable_gc (boolean)
188 By default, the SSSD connects to the Global Catalog first to
189 retrieve users from trusted domains and uses the LDAP port to
190 retrieve group memberships or as a fallback. Disabling this option
191 makes the SSSD only connect to the LDAP port of the current AD
192 server.
193 Please note that disabling Global Catalog support does not disable
195 retrieving users from trusted domains. The SSSD would connect to
196 the LDAP port of trusted domains instead. However, Global Catalog
197 must be used in order to resolve cross-domain group memberships.
198 Default: true
200 ad_gpo_access_control (string)
202 This option specifies the operation mode for GPO-based access
203 control functionality: whether it operates in disabled mode,
204 enforcing mode, or permissive mode. Please note that the
205 “access_provider” option must be explicitly set to “ad” in order
206 for this option to have an effect.
207 GPO-based access control functionality uses GPO policy settings to
209 determine whether or not a particular user is allowed to logon to a
210 particular host.
211 NOTE: The current version of SSSD does not support host (computer)
213 entries in the GPO 'Security Filtering' list. Only user and group
214 entries are supported. Host entries in the list have no effect.
215 NOTE: If the operation mode is set to enforcing, it is possible
217 that users that were previously allowed logon access will now be
218 denied logon access (as dictated by the GPO policy settings). In
219 order to facilitate a smooth transition for administrators, a
220 permissive mode is available that will not enforce the access
221 control rules, but will evaluate them and will output a syslog
222 message if access would have been denied. By examining the logs,
223 administrators can then make the necessary changes before setting
224 the mode to enforcing.
225 There are three supported values for this option:
227 · disabled: GPO-based access control rules are neither evaluated
229 nor enforced.
230 · enforcing: GPO-based access control rules are evaluated and
232 enforced.
233 · permissive: GPO-based access control rules are evaluated, but
235 not enforced. Instead, a syslog message will be emitted
236 indicating that the user would have been denied access if this
237 option's value were set to enforcing.
238 Default: enforcing
240 ad_gpo_cache_timeout (integer)
242 The amount of time between lookups of GPO policy files against the
243 AD server. This will reduce the latency and load on the AD server
244 if there are many access-control requests made in a short period.
245 Default: 5 (seconds)
247 ad_gpo_map_interactive (string)
249 A comma-separated list of PAM service names for which GPO-based
250 access control is evaluated based on the InteractiveLogonRight and
251 DenyInteractiveLogonRight policy settings.
252 Note: Using the Group Policy Management Editor this value is called
254 "Allow log on locally" and "Deny log on locally".
255 It is possible to add another PAM service name to the default set
257 by using “+service_name” or to explicitly remove a PAM service name
258 from the default set by using “-service_name”. For example, in
259 order to replace a default PAM service name for this logon right
260 (e.g. “login”) with a custom pam service name (e.g.
261 “my_pam_service”), you would use the following configuration:
262 ad_gpo_map_interactive = +my_pam_service, -login
264 Default: the default set of PAM service names includes:
267 · login
269 · su
271 · su-l
273 · gdm-fingerprint
275 · gdm-password
277 · gdm-smartcard
279 · kdm
281 · lightdm
283 · lxdm
285 · sddm
287 · unity
289 · xdm
291 ad_gpo_map_remote_interactive (string)
294 A comma-separated list of PAM service names for which GPO-based
295 access control is evaluated based on the
296 RemoteInteractiveLogonRight and DenyRemoteInteractiveLogonRight
297 policy settings.
298 Note: Using the Group Policy Management Editor this value is called
300 "Allow log on through Remote Desktop Services" and "Deny log on
301 through Remote Desktop Services".
302 It is possible to add another PAM service name to the default set
304 by using “+service_name” or to explicitly remove a PAM service name
305 from the default set by using “-service_name”. For example, in
306 order to replace a default PAM service name for this logon right
307 (e.g. “sshd”) with a custom pam service name (e.g.
308 “my_pam_service”), you would use the following configuration:
309 ad_gpo_map_remote_interactive = +my_pam_service, -sshd
311 Default: the default set of PAM service names includes:
314 · sshd
316 · cockpit
318 ad_gpo_map_network (string)
321 A comma-separated list of PAM service names for which GPO-based
322 access control is evaluated based on the NetworkLogonRight and
323 DenyNetworkLogonRight policy settings.
324 Note: Using the Group Policy Management Editor this value is called
326 "Access this computer from the network" and "Deny access to this
327 computer from the network".
328 It is possible to add another PAM service name to the default set
330 by using “+service_name” or to explicitly remove a PAM service name
331 from the default set by using “-service_name”. For example, in
332 order to replace a default PAM service name for this logon right
333 (e.g. “ftp”) with a custom pam service name (e.g.
334 “my_pam_service”), you would use the following configuration:
335 ad_gpo_map_network = +my_pam_service, -ftp
337 Default: the default set of PAM service names includes:
340 · ftp
342 · samba
344 ad_gpo_map_batch (string)
347 A comma-separated list of PAM service names for which GPO-based
348 access control is evaluated based on the BatchLogonRight and
349 DenyBatchLogonRight policy settings.
350 Note: Using the Group Policy Management Editor this value is called
352 "Allow log on as a batch job" and "Deny log on as a batch job".
353 It is possible to add another PAM service name to the default set
355 by using “+service_name” or to explicitly remove a PAM service name
356 from the default set by using “-service_name”. For example, in
357 order to replace a default PAM service name for this logon right
358 (e.g. “crond”) with a custom pam service name (e.g.
359 “my_pam_service”), you would use the following configuration:
360 ad_gpo_map_batch = +my_pam_service, -crond
362 Default: the default set of PAM service names includes:
365 · crond
367 ad_gpo_map_service (string)
370 A comma-separated list of PAM service names for which GPO-based
371 access control is evaluated based on the ServiceLogonRight and
372 DenyServiceLogonRight policy settings.
373 Note: Using the Group Policy Management Editor this value is called
375 "Allow log on as a service" and "Deny log on as a service".
376 It is possible to add a PAM service name to the default set by
378 using “+service_name”. Since the default set is empty, it is not
379 possible to remove a PAM service name from the default set. For
380 example, in order to add a custom pam service name (e.g.
381 “my_pam_service”), you would use the following configuration:
382 ad_gpo_map_service = +my_pam_service
384 Default: not set
387 ad_gpo_map_permit (string)
389 A comma-separated list of PAM service names for which GPO-based
390 access is always granted, regardless of any GPO Logon Rights.
391 It is possible to add another PAM service name to the default set
393 by using “+service_name” or to explicitly remove a PAM service name
394 from the default set by using “-service_name”. For example, in
395 order to replace a default PAM service name for unconditionally
396 permitted access (e.g. “sudo”) with a custom pam service name
397 (e.g. “my_pam_service”), you would use the following
398 configuration:
399 ad_gpo_map_permit = +my_pam_service, -sudo
401 Default: the default set of PAM service names includes:
404 · polkit-1
406 · sudo
408 · sudo-i
410 · systemd-user
412 ad_gpo_map_deny (string)
415 A comma-separated list of PAM service names for which GPO-based
416 access is always denied, regardless of any GPO Logon Rights.
417 It is possible to add a PAM service name to the default set by
419 using “+service_name”. Since the default set is empty, it is not
420 possible to remove a PAM service name from the default set. For
421 example, in order to add a custom pam service name (e.g.
422 “my_pam_service”), you would use the following configuration:
423 ad_gpo_map_deny = +my_pam_service
425 Default: not set
428 ad_gpo_default_right (string)
430 This option defines how access control is evaluated for PAM service
431 names that are not explicitly listed in one of the ad_gpo_map_*
432 options. This option can be set in two different manners. First,
433 this option can be set to use a default logon right. For example,
434 if this option is set to 'interactive', it means that unmapped PAM
435 service names will be processed based on the InteractiveLogonRight
436 and DenyInteractiveLogonRight policy settings. Alternatively, this
437 option can be set to either always permit or always deny access for
438 unmapped PAM service names.
439 Supported values for this option include:
441 · interactive
443 · remote_interactive
445 · network
447 · batch
449 · service
451 · permit
453 · deny
455 Default: deny
457 ad_maximum_machine_account_password_age (integer)
459 SSSD will check once a day if the machine account password is older
460 than the given age in days and try to renew it. A value of 0 will
461 disable the renewal attempt.
462 Default: 30 days
464 ad_machine_account_password_renewal_opts (string)
466 This option should only be used to test the machine account renewal
467 task. The option expects 2 integers separated by a colon (':'). The
468 first integer defines the interval in seconds how often the task is
469 run. The second specifies the initial timeout in seconds before the
470 task is run for the first time after startup.
471 Default: 86400:750 (24h and 15m)
473 dyndns_update (boolean)
475 Optional. This option tells SSSD to automatically update the Active
476 Directory DNS server with the IP address of this client. The update
477 is secured using GSS-TSIG. As a consequence, the Active Directory
478 administrator only needs to allow secure updates for the DNS zone.
479 The IP address of the AD LDAP connection is used for the updates,
480 if it is not otherwise specified by using the “dyndns_iface”
481 option.
482 NOTE: On older systems (such as RHEL 5), for this behavior to work
484 reliably, the default Kerberos realm must be set properly in
485 /etc/krb5.conf
486 Default: true
488 dyndns_ttl (integer)
490 The TTL to apply to the client DNS record when updating it. If
491 dyndns_update is false this has no effect. This will override the
492 TTL serverside if set by an administrator.
493 Default: 3600 (seconds)
495 dyndns_iface (string)
497 Optional. Applicable only when dyndns_update is true. Choose the
498 interface or a list of interfaces whose IP addresses should be used
499 for dynamic DNS updates. Special value “*” implies that IPs from
500 all interfaces should be used.
501 Default: Use the IP addresses of the interface which is used for AD
503 LDAP connection
504 Example: dyndns_iface = em1, vnet1, vnet2
506 dyndns_refresh_interval (integer)
508 How often should the back end perform periodic DNS update in
509 addition to the automatic update performed when the back end goes
510 online. This option is optional and applicable only when
511 dyndns_update is true. Note that the lowest possible value is 60
512 seconds in-case if value is provided less than 60, parameter will
513 assume lowest value only.
514 Default: 86400 (24 hours)
516 dyndns_update_ptr (bool)
518 Whether the PTR record should also be explicitly updated when
519 updating the client's DNS records. Applicable only when
520 dyndns_update is true.
521 Default: True
523 dyndns_force_tcp (bool)
525 Whether the nsupdate utility should default to using TCP for
526 communicating with the DNS server.
527 Default: False (let nsupdate choose the protocol)
529 dyndns_auth (string)
531 Whether the nsupdate utility should use GSS-TSIG authentication for
532 secure updates with the DNS server, insecure updates can be sent by
533 setting this option to 'none'.
534 Default: GSS-TSIG
536 dyndns_server (string)
538 The DNS server to use when performing a DNS update. In most setups,
539 it's recommended to leave this option unset.
540 Setting this option makes sense for environments where the DNS
542 server is different from the identity server.
543 Please note that this option will be only used in fallback attempt
545 when previous attempt using autodetected settings failed.
546 Default: None (let nsupdate choose the server)
548 override_homedir (string)
550 Override the user's home directory. You can either provide an
551 absolute value or a template. In the template, the following
552 sequences are substituted:
553 %u
555 login name
556 %U
558 UID number
559 %d
561 domain name
562 %f
564 fully qualified user name (user@domain)
565 %l
567 The first letter of the login name.
568 %P
570 UPN - User Principal Name (name@REALM)
571 %o
573 The original home directory retrieved from the identity
574 provider.
575 %H
577 The value of configure option homedir_substring.
578 %%
580 a literal '%'
581 This option can also be set per-domain.
583 example:
585 override_homedir = /home/%u
587 Default: Not set (SSSD will use the value retrieved from LDAP)
590 homedir_substring (string)
592 The value of this option will be used in the expansion of the
593 override_homedir option if the template contains the format string
594 %H. An LDAP directory entry can directly contain this template so
595 that this option can be used to expand the home directory path for
596 each client machine (or operating system). It can be set per-domain
597 or globally in the [nss] section. A value specified in a domain
598 section will override one set in the [nss] section.
599 Default: /home
601 krb5_confd_path (string)
603 Absolute path of a directory where SSSD should place Kerberos
604 configuration snippets.
605 To disable the creation of the configuration snippets set the
607 parameter to 'none'.
608 Default: not set (krb5.include.d subdirectory of SSSD's pubconf
610 directory)
611
613 Certain option defaults do not match their respective backend provider
614 defaults, these option names and AD provider-specific defaults are
615 listed below:
616 KRB5 Provider
618 · krb5_validate = true
619 · krb5_use_enterprise_principal = true
621 LDAP Provider
623 · ldap_schema = ad
624 · ldap_force_upper_case_realm = true
626 · ldap_id_mapping = true
628 · ldap_sasl_mech = gssapi
630 · ldap_referrals = false
632 · ldap_account_expire_policy = ad
634 · ldap_use_tokengroups = true
636 · ldap_sasl_authid = sAMAccountName@REALM (typically
638 SHORTNAME$@REALM)
639 The AD provider looks for a different principal than the LDAP
641 provider by default, because in an Active Directory environment the
642 principals are divided into two groups - User Principals and
643 Service Principals. Only User Principal can be used to obtain a TGT
644 and by default, computer object's principal is constructed from its
645 sAMAccountName and the AD realm. The well-known host/hostname@REALM
646 principal is a Service Principal and thus cannot be used to get a
647 TGT with.
648 NSS configuration
650 · fallback_homedir = /home/%d/%u
651 The AD provider automatically sets "fallback_homedir = /home/%d/%u"
653 to provide personal home directories for users without the
654 homeDirectory attribute. If your AD Domain is properly populated
655 with Posix attributes, and you want to avoid this fallback
656 behavior, you can explicitly set "fallback_homedir = %o".
657
659 The failover feature allows back ends to automatically switch to a
660 different server if the current server fails.
661 Failover Syntax
663 The list of servers is given as a comma-separated list; any number of
664 spaces is allowed around the comma. The servers are listed in order of
665 preference. The list can contain any number of servers.
666 For each failover-enabled config option, two variants exist: primary
668 and backup. The idea is that servers in the primary list are preferred
669 and backup servers are only searched if no primary servers can be
670 reached. If a backup server is selected, a timeout of 31 seconds is
671 set. After this timeout SSSD will periodically try to reconnect to one
672 of the primary servers. If it succeeds, it will replace the current
673 active (backup) server.
674 The Failover Mechanism
676 The failover mechanism distinguishes between a machine and a service.
677 The back end first tries to resolve the hostname of a given machine; if
678 this resolution attempt fails, the machine is considered offline. No
679 further attempts are made to connect to this machine for any other
680 service. If the resolution attempt succeeds, the back end tries to
681 connect to a service on this machine. If the service connection attempt
682 fails, then only this particular service is considered offline and the
683 back end automatically switches over to the next service. The machine
684 is still considered online and might still be tried for another
685 service.
686 Further connection attempts are made to machines or services marked as
688 offline after a specified period of time; this is currently hard coded
689 to 30 seconds.
690 If there are no more machines to try, the back end as a whole switches
692 to offline mode, and then attempts to reconnect every 30 seconds.
693 Failover time outs and tuning
695 Resolving a server to connect to can be as simple as running a single
696 DNS query or can involve several steps, such as finding the correct
697 site or trying out multiple host names in case some of the configured
698 servers are not reachable. The more complex scenarios can take some
699 time and SSSD needs to balance between providing enough time to finish
700 the resolution process but on the other hand, not trying for too long
701 before falling back to offline mode. If the SSSD debug logs show that
702 the server resolution is timing out before a live server is contacted,
703 you can consider changing the time outs.
704 This section lists the available tunables. Please refer to their
706 description in the sssd.conf(5), manual page.
707 dns_resolver_op_timeout
709 How long would SSSD talk to a single DNS server.
710 dns_resolver_timeout
712 How long would SSSD try to resolve a failover service. This service
713 resolution internally might include several steps, such as
714 resolving DNS SRV queries or locating the site.
715 For LDAP-based providers, the resolve operation is performed as part of
717 an LDAP connection operation. Therefore, also the “ldap_opt_timeout>”
718 timeout should be set to a larger value than “dns_resolver_timeout”
719 which in turn should be set to a larger value than
720 “dns_resolver_op_timeout”.
721
723 The service discovery feature allows back ends to automatically find
724 the appropriate servers to connect to using a special DNS query. This
725 feature is not supported for backup servers.
726 Configuration
728 If no servers are specified, the back end automatically uses service
729 discovery to try to find a server. Optionally, the user may choose to
730 use both fixed server addresses and service discovery by inserting a
731 special keyword, “_srv_”, in the list of servers. The order of
732 preference is maintained. This feature is useful if, for example, the
733 user prefers to use service discovery whenever possible, and fall back
734 to a specific server when no servers can be discovered using DNS.
735 The domain name
737 Please refer to the “dns_discovery_domain” parameter in the
738 sssd.conf(5) manual page for more details.
739 The protocol
741 The queries usually specify _tcp as the protocol. Exceptions are
742 documented in respective option description.
743 See Also
745 For more information on the service discovery mechanism, refer to RFC
746 2782.
747
749 The ID-mapping feature allows SSSD to act as a client of Active
750 Directory without requiring administrators to extend user attributes to
751 support POSIX attributes for user and group identifiers.
752 NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
754 attributes are ignored. This is to avoid the possibility of conflicts
755 between automatically-assigned and manually-assigned values. If you
756 need to use manually-assigned values, ALL values must be
757 manually-assigned.
758 Please note that changing the ID mapping related configuration options
760 will cause user and group IDs to change. At the moment, SSSD does not
761 support changing IDs, so the SSSD database must be removed. Because
762 cached passwords are also stored in the database, removing the database
763 should only be performed while the authentication servers are
764 reachable, otherwise users might get locked out. In order to cache the
765 password, an authentication must be performed. It is not sufficient to
766 use sss_cache(8) to remove the database, rather the process consists
767 of:
768 · Making sure the remote servers are reachable
770 · Stopping the SSSD service
772 · Removing the database
774 · Starting the SSSD service
776 Moreover, as the change of IDs might necessitate the adjustment of
778 other system properties such as file and directory ownership, it's
779 advisable to plan ahead and test the ID mapping configuration
780 thoroughly.
781 Mapping Algorithm
783 Active Directory provides an objectSID for every user and group object
784 in the directory. This objectSID can be broken up into components that
785 represent the Active Directory domain identity and the relative
786 identifier (RID) of the user or group object.
787 The SSSD ID-mapping algorithm takes a range of available UIDs and
789 divides it into equally-sized component sections - called "slices"-.
790 Each slice represents the space available to an Active Directory
791 domain.
792 When a user or group entry for a particular domain is encountered for
794 the first time, the SSSD allocates one of the available slices for that
795 domain. In order to make this slice-assignment repeatable on different
796 client machines, we select the slice based on the following algorithm:
797 The SID string is passed through the murmurhash3 algorithm to convert
799 it to a 32-bit hashed value. We then take the modulus of this value
800 with the total number of available slices to pick the slice.
801 NOTE: It is possible to encounter collisions in the hash and subsequent
803 modulus. In these situations, we will select the next available slice,
804 but it may not be possible to reproduce the same exact set of slices on
805 other machines (since the order that they are encountered will
806 determine their slice). In this situation, it is recommended to either
807 switch to using explicit POSIX attributes in Active Directory
808 (disabling ID-mapping) or configure a default domain to guarantee that
809 at least one is always consistent. See “Configuration” for details.
810 Configuration
812 Minimum configuration (in the “[domain/DOMAINNAME]” section):
813 ldap_id_mapping = True
815 ldap_schema = ad
816 The default configuration results in configuring 10,000 slices, each
818 capable of holding up to 200,000 IDs, starting from 200,000 and going
819 up to 2,000,200,000. This should be sufficient for most deployments.
820 Advanced Configuration
822 ldap_idmap_range_min (integer)
823 Specifies the lower bound of the range of POSIX IDs to use for
824 mapping Active Directory user and group SIDs.
825 NOTE: This option is different from “min_id” in that “min_id”
827 acts to filter the output of requests to this domain, whereas
828 this option controls the range of ID assignment. This is a
829 subtle distinction, but the good general advice would be to
830 have “min_id” be less-than or equal to “ldap_idmap_range_min”
831 Default: 200000
833 ldap_idmap_range_max (integer)
835 Specifies the upper bound of the range of POSIX IDs to use for
836 mapping Active Directory user and group SIDs.
837 NOTE: This option is different from “max_id” in that “max_id”
839 acts to filter the output of requests to this domain, whereas
840 this option controls the range of ID assignment. This is a
841 subtle distinction, but the good general advice would be to
842 have “max_id” be greater-than or equal to
843 “ldap_idmap_range_max”
844 Default: 2000200000
846 ldap_idmap_range_size (integer)
848 Specifies the number of IDs available for each slice. If the
849 range size does not divide evenly into the min and max values,
850 it will create as many complete slices as it can.
851 NOTE: The value of this option must be at least as large as the
853 highest user RID planned for use on the Active Directory
854 server. User lookups and login will fail for any user whose RID
855 is greater than this value.
856 For example, if your most recently-added Active Directory user
858 has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
859 “ldap_idmap_range_size” must be at least 1108 as range size is
860 equal to maximal SID minus minimal SID plus one (e.g. 1108 =
861 1107 - 0 + 1).
862 It is important to plan ahead for future expansion, as changing
864 this value will result in changing all of the ID mappings on
865 the system, leading to users with different local IDs than they
866 previously had.
867 Default: 200000
869 ldap_idmap_default_domain_sid (string)
871 Specify the domain SID of the default domain. This will
872 guarantee that this domain will always be assigned to slice
873 zero in the ID map, bypassing the murmurhash algorithm
874 described above.
875 Default: not set
877 ldap_idmap_default_domain (string)
879 Specify the name of the default domain.
880 Default: not set
882 ldap_idmap_autorid_compat (boolean)
884 Changes the behavior of the ID-mapping algorithm to behave more
885 similarly to winbind's “idmap_autorid” algorithm.
886 When this option is configured, domains will be allocated
888 starting with slice zero and increasing monatomically with each
889 additional domain.
890 NOTE: This algorithm is non-deterministic (it depends on the
892 order that users and groups are requested). If this mode is
893 required for compatibility with machines running winbind, it is
894 recommended to also use the “ldap_idmap_default_domain_sid”
895 option to guarantee that at least one domain is consistently
896 allocated to slice zero.
897 Default: False
899 ldap_idmap_helper_table_size (integer)
901 Maximal number of secondary slices that is tried when
902 performing mapping from UNIX id to SID.
903 Note: Additional secondary slices might be generated when SID
905 is being mapped to UNIX id and RID part of SID is out of range
906 for secondary slices generated so far. If value of
907 ldap_idmap_helper_table_size is equal to 0 then no additional
908 secondary slices are generated.
909 Default: 10
911 Well-Known SIDs
913 SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
914 special hardcoded meaning. Since the generic users and groups related
915 to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
916 no POSIX IDs are available for those objects.
917 The SID name space is organized in authorities which can be seen as
919 different domains. The authorities for the Well-Known SIDs are
920 · Null Authority
922 · World Authority
924 · Local Authority
926 · Creator Authority
928 · NT Authority
930 · Built-in
932 The capitalized version of these names are used as domain names when
934 returning the fully qualified name of a Well-Known SID.
935 Since some utilities allow to modify SID based access control
937 information with the help of a name instead of using the SID directly
938 SSSD supports to look up the SID by the name as well. To avoid
939 collisions only the fully qualified names can be used to look up
940 Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
941 AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
942 “BUILTIN” should not be used as domain names in sssd.conf.
943
945 The following example assumes that SSSD is correctly configured and
946 example.com is one of the domains in the [sssd] section. This example
947 shows only the AD provider-specific options.
948 [domain/EXAMPLE]
950 id_provider = ad
951 auth_provider = ad
952 access_provider = ad
953 chpass_provider = ad
954 ad_server = dc1.example.com
956 ad_hostname = client.example.com
957 ad_domain = example.com
958
961 The AD access control provider checks if the account is expired. It has
962 the same effect as the following configuration of the LDAP provider:
963 access_provider = ldap
965 ldap_access_order = expire
966 ldap_account_expire_policy = ad
967 However, unless the “ad” access control provider is explicitly
969 configured, the default access provider is “permit”. Please note that
970 if you configure an access provider other than “ad”, you need to set
971 all the connection parameters (such as LDAP URIs and encryption
972 details) manually.
973 When the autofs provider is set to “ad”, the RFC2307 schema attribute
975 mapping (nisMap, nisObject, ...) is used, because these attributes are
976 included in the default Active Directory schema.
977
979 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
980 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sssd-session-recording(5),
981 sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8),
982 sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
983 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
984 sssd-systemtap(5)
985
987 The SSSD upstream - https://pagure.io/SSSD/sssd/
988
990 1. [MS-ADTS] section LDAP extensions
991 https://msdn.microsoft.com/en-us/library/cc223367.aspx
992SSSD 07/01/2019 SSSD-AD(5)