1SSSD-AD(5) File Formats and Conventions SSSD-AD(5)
2
3
4
6 sssd-ad - SSSD Active Directory provider
7
9 This manual page describes the configuration of the AD provider for
10 sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11 section of the sssd.conf(5) manual page.
12
13 The AD provider is a back end used to connect to an Active Directory
14 server. This provider requires that the machine be joined to the AD
15 domain and a keytab is available. Back end communication occurs over a
16 GSSAPI-encrypted channel, SSL/TLS options should not be used with the
17 AD provider and will be superseded by Kerberos usage.
18
19 The AD provider supports connecting to Active Directory 2008 R2 or
20 later. Earlier versions may work, but are unsupported.
21
22 The AD provider can be used to get user information and authenticate
23 users from trusted domains. Currently only trusted domains in the same
24 forest are recognized. In addition servers from trusted domains are
25 always auto-discovered.
26
27 The AD provider enables SSSD to use the sssd-ldap(5) identity provider
28 and the sssd-krb5(5) authentication provider with optimizations for
29 Active Directory environments. The AD provider accepts the same options
30 used by the sssd-ldap and sssd-krb5 providers with some exceptions.
31 However, it is neither necessary nor recommended to set these options.
32
33 The AD provider primarily copies the traditional ldap and krb5 provider
34 default options with some exceptions, the differences are listed in the
35 “MODIFIED DEFAULT OPTIONS” section.
36
37 The AD provider can also be used as an access, chpass, sudo and autofs
38 provider. No configuration of the access provider is required on the
39 client side.
40
41 If “auth_provider=ad” or “access_provider=ad” is configured in
42 sssd.conf then the id_provider must also be set to “ad”.
43
44 By default, the AD provider will map UID and GID values from the
45 objectSID parameter in Active Directory. For details on this, see the
46 “ID MAPPING” section below. If you want to disable ID mapping and
47 instead rely on POSIX attributes defined in Active Directory, you
48 should set
49
50 ldap_id_mapping = False
51
52
53 If POSIX attributes should be used, it is recommended for performance
54 reasons that the attributes are also replicated to the Global Catalog.
55 If POSIX attributes are replicated, SSSD will attempt to locate the
56 domain of a requested numerical ID with the help of the Global Catalog
57 and only search that domain. In contrast, if POSIX attributes are not
58 replicated to the Global Catalog, SSSD must search all the domains in
59 the forest sequentially. Please note that the “cache_first” option
60 might be also helpful in speeding up domainless searches. Note that if
61 only a subset of POSIX attributes is present in the Global Catalog, the
62 non-replicated attributes are currently not read from the LDAP port.
63
64 Users, groups and other entities served by SSSD are always treated as
65 case-insensitive in the AD provider for compatibility with Active
66 Directory's LDAP implementation.
67
69 Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
70 for details on the configuration of an SSSD domain.
71
72 ad_domain (string)
73 Specifies the name of the Active Directory domain. This is
74 optional. If not provided, the configuration domain name is used.
75
76 For proper operation, this option should be specified as the
77 lower-case version of the long version of the Active Directory
78 domain.
79
80 The short domain name (also known as the NetBIOS or the flat name)
81 is autodetected by the SSSD.
82
83 ad_enabled_domains (string)
84 A comma-separated list of enabled Active Directory domains. If
85 provided, SSSD will ignore any domains not listed in this option.
86 If left unset, all domains from the AD forest will be available.
87
88 For proper operation, this option must be specified in all
89 lower-case and as the fully qualified domain name of the Active
90 Directory domain. For example:
91
92 ad_enabled_domains = sales.example.com, eng.example.com
93
94
95 The short domain name (also known as the NetBIOS or the flat name)
96 will be autodetected by SSSD.
97
98 Default: Not set
99
100 ad_server, ad_backup_server (string)
101 The comma-separated list of hostnames of the AD servers to which
102 SSSD should connect in order of preference. For more information on
103 failover and server redundancy, see the “FAILOVER” section.
104
105 This is optional if autodiscovery is enabled. For more information
106 on service discovery, refer to the “SERVICE DISCOVERY” section.
107
108 Note: Trusted domains will always auto-discover servers even if the
109 primary server is explicitly defined in the ad_server option.
110
111 ad_hostname (string)
112 Optional. May be set on machines where the hostname(5) does not
113 reflect the fully qualified name used in the Active Directory
114 domain to identify this host.
115
116 This field is used to determine the host principal in use in the
117 keytab. It must match the hostname for which the keytab was issued.
118
119 ad_enable_dns_sites (boolean)
120 Enables DNS sites - location based service discovery.
121
122 If true and service discovery (see Service Discovery paragraph at
123 the bottom of the man page) is enabled, the SSSD will first attempt
124 to discover the Active Directory server to connect to using the
125 Active Directory Site Discovery and fall back to the DNS SRV
126 records if no AD site is found. The DNS SRV configuration,
127 including the discovery domain, is used during site discovery as
128 well.
129
130 Default: true
131
132 ad_access_filter (string)
133 This option specifies LDAP access control filter that the user must
134 match in order to be allowed access. Please note that the
135 “access_provider” option must be explicitly set to “ad” in order
136 for this option to have an effect.
137
138 The option also supports specifying different filters per domain or
139 forest. This extended filter would consist of:
140 “KEYWORD:NAME:FILTER”. The keyword can be either “DOM”, “FOREST” or
141 missing.
142
143 If the keyword equals to “DOM” or is missing, then “NAME” specifies
144 the domain or subdomain the filter applies to. If the keyword
145 equals to “FOREST”, then the filter equals to all domains from the
146 forest specified by “NAME”.
147
148 Multiple filters can be separated with the “?” character,
149 similarly to how search bases work.
150
151 Nested group membership must be searched for using a special OID
152 “:1.2.840.113556.1.4.1941:” in addition to the full
153 DOM:domain.example.org: syntax to ensure the parser does not
154 attempt to interpret the colon characters associated with the OID.
155 If you do not use this OID then nested group membership will not be
156 resolved. See usage example below and refer here for further
157 information about the OID: [MS-ADTS] section LDAP extensions[1]
158
159 The most specific match is always used. For example, if the option
160 specified filter for a domain the user is a member of and a global
161 filter, the per-domain filter would be applied. If there are more
162 matches with the same specification, the first one is used.
163
164 Examples:
165
166 # apply filter on domain called dom1 only:
167 dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
168
169 # apply filter on domain called dom2 only:
170 DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
171
172 # apply filter on forest called EXAMPLE.COM only:
173 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
174
175 # apply filter for a member of a nested group in dom1:
176 DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
177
178
179 Default: Not set
180
181 ad_site (string)
182 Specify AD site to which client should try to connect. If this
183 option is not provided, the AD site will be auto-discovered.
184
185 Default: Not set
186
187 ad_enable_gc (boolean)
188 By default, the SSSD connects to the Global Catalog first to
189 retrieve users from trusted domains and uses the LDAP port to
190 retrieve group memberships or as a fallback. Disabling this option
191 makes the SSSD only connect to the LDAP port of the current AD
192 server.
193
194 Please note that disabling Global Catalog support does not disable
195 retrieving users from trusted domains. The SSSD would connect to
196 the LDAP port of trusted domains instead. However, Global Catalog
197 must be used in order to resolve cross-domain group memberships.
198
199 Default: true
200
201 ad_gpo_access_control (string)
202 This option specifies the operation mode for GPO-based access
203 control functionality: whether it operates in disabled mode,
204 enforcing mode, or permissive mode. Please note that the
205 “access_provider” option must be explicitly set to “ad” in order
206 for this option to have an effect.
207
208 GPO-based access control functionality uses GPO policy settings to
209 determine whether or not a particular user is allowed to logon to a
210 particular host.
211
212 NOTE: The current version of SSSD does not support host (computer)
213 entries in the GPO 'Security Filtering' list. Only user and group
214 entries are supported. Host entries in the list have no effect.
215
216 NOTE: If the operation mode is set to enforcing, it is possible
217 that users that were previously allowed logon access will now be
218 denied logon access (as dictated by the GPO policy settings). In
219 order to facilitate a smooth transition for administrators, a
220 permissive mode is available that will not enforce the access
221 control rules, but will evaluate them and will output a syslog
222 message if access would have been denied. By examining the logs,
223 administrators can then make the necessary changes before setting
224 the mode to enforcing.
225
226 There are three supported values for this option:
227
228 · disabled: GPO-based access control rules are neither evaluated
229 nor enforced.
230
231 · enforcing: GPO-based access control rules are evaluated and
232 enforced.
233
234 · permissive: GPO-based access control rules are evaluated, but
235 not enforced. Instead, a syslog message will be emitted
236 indicating that the user would have been denied access if this
237 option's value were set to enforcing.
238
239 Default: enforcing
240
241 ad_gpo_implicit_deny (boolean)
242 Normally when no applicable GPOs are found the users are allowed
243 access. When this option is set to True users will be allowed
244 access only when explicitly allowed by a GPO rule. Otherwise users
245 will be denied access. This can be used to harden security but be
246 careful when using this option because it can deny access even to
247 users in the built-in Administrators group if no GPO rules apply to
248 them.
249
250 Default: False
251
252 ad_gpo_ignore_unreadable (boolean)
253 Normally when some group policy containers (AD object) of
254 applicable group policy objects are not readable by SSSD then users
255 are denied access. This option allows to ignore group policy
256 containers and with them associated policies if their attributes in
257 group policy containers are not readable for SSSD.
258
259 Default: False
260
261 ad_gpo_cache_timeout (integer)
262 The amount of time between lookups of GPO policy files against the
263 AD server. This will reduce the latency and load on the AD server
264 if there are many access-control requests made in a short period.
265
266 Default: 5 (seconds)
267
268 ad_gpo_map_interactive (string)
269 A comma-separated list of PAM service names for which GPO-based
270 access control is evaluated based on the InteractiveLogonRight and
271 DenyInteractiveLogonRight policy settings.
272
273 Note: Using the Group Policy Management Editor this value is called
274 "Allow log on locally" and "Deny log on locally".
275
276 It is possible to add another PAM service name to the default set
277 by using “+service_name” or to explicitly remove a PAM service name
278 from the default set by using “-service_name”. For example, in
279 order to replace a default PAM service name for this logon right
280 (e.g. “login”) with a custom pam service name (e.g.
281 “my_pam_service”), you would use the following configuration:
282
283 ad_gpo_map_interactive = +my_pam_service, -login
284
285
286 Default: the default set of PAM service names includes:
287
288 · login
289
290 · su
291
292 · su-l
293
294 · gdm-fingerprint
295
296 · gdm-password
297
298 · gdm-smartcard
299
300 · kdm
301
302 · lightdm
303
304 · lxdm
305
306 · sddm
307
308 · unity
309
310 · xdm
311
312
313 ad_gpo_map_remote_interactive (string)
314 A comma-separated list of PAM service names for which GPO-based
315 access control is evaluated based on the
316 RemoteInteractiveLogonRight and DenyRemoteInteractiveLogonRight
317 policy settings.
318
319 Note: Using the Group Policy Management Editor this value is called
320 "Allow log on through Remote Desktop Services" and "Deny log on
321 through Remote Desktop Services".
322
323 It is possible to add another PAM service name to the default set
324 by using “+service_name” or to explicitly remove a PAM service name
325 from the default set by using “-service_name”. For example, in
326 order to replace a default PAM service name for this logon right
327 (e.g. “sshd”) with a custom pam service name (e.g.
328 “my_pam_service”), you would use the following configuration:
329
330 ad_gpo_map_remote_interactive = +my_pam_service, -sshd
331
332
333 Default: the default set of PAM service names includes:
334
335 · sshd
336
337 · cockpit
338
339
340 ad_gpo_map_network (string)
341 A comma-separated list of PAM service names for which GPO-based
342 access control is evaluated based on the NetworkLogonRight and
343 DenyNetworkLogonRight policy settings.
344
345 Note: Using the Group Policy Management Editor this value is called
346 "Access this computer from the network" and "Deny access to this
347 computer from the network".
348
349 It is possible to add another PAM service name to the default set
350 by using “+service_name” or to explicitly remove a PAM service name
351 from the default set by using “-service_name”. For example, in
352 order to replace a default PAM service name for this logon right
353 (e.g. “ftp”) with a custom pam service name (e.g.
354 “my_pam_service”), you would use the following configuration:
355
356 ad_gpo_map_network = +my_pam_service, -ftp
357
358
359 Default: the default set of PAM service names includes:
360
361 · ftp
362
363 · samba
364
365
366 ad_gpo_map_batch (string)
367 A comma-separated list of PAM service names for which GPO-based
368 access control is evaluated based on the BatchLogonRight and
369 DenyBatchLogonRight policy settings.
370
371 Note: Using the Group Policy Management Editor this value is called
372 "Allow log on as a batch job" and "Deny log on as a batch job".
373
374 It is possible to add another PAM service name to the default set
375 by using “+service_name” or to explicitly remove a PAM service name
376 from the default set by using “-service_name”. For example, in
377 order to replace a default PAM service name for this logon right
378 (e.g. “crond”) with a custom pam service name (e.g.
379 “my_pam_service”), you would use the following configuration:
380
381 ad_gpo_map_batch = +my_pam_service, -crond
382
383
384 Note: Cron service name may differ depending on Linux distribution
385 used.
386
387 Default: the default set of PAM service names includes:
388
389 · crond
390
391
392 ad_gpo_map_service (string)
393 A comma-separated list of PAM service names for which GPO-based
394 access control is evaluated based on the ServiceLogonRight and
395 DenyServiceLogonRight policy settings.
396
397 Note: Using the Group Policy Management Editor this value is called
398 "Allow log on as a service" and "Deny log on as a service".
399
400 It is possible to add a PAM service name to the default set by
401 using “+service_name”. Since the default set is empty, it is not
402 possible to remove a PAM service name from the default set. For
403 example, in order to add a custom pam service name (e.g.
404 “my_pam_service”), you would use the following configuration:
405
406 ad_gpo_map_service = +my_pam_service
407
408
409 Default: not set
410
411 ad_gpo_map_permit (string)
412 A comma-separated list of PAM service names for which GPO-based
413 access is always granted, regardless of any GPO Logon Rights.
414
415 It is possible to add another PAM service name to the default set
416 by using “+service_name” or to explicitly remove a PAM service name
417 from the default set by using “-service_name”. For example, in
418 order to replace a default PAM service name for unconditionally
419 permitted access (e.g. “sudo”) with a custom pam service name
420 (e.g. “my_pam_service”), you would use the following
421 configuration:
422
423 ad_gpo_map_permit = +my_pam_service, -sudo
424
425
426 Default: the default set of PAM service names includes:
427
428 · polkit-1
429
430 · sudo
431
432 · sudo-i
433
434 · systemd-user
435
436
437 ad_gpo_map_deny (string)
438 A comma-separated list of PAM service names for which GPO-based
439 access is always denied, regardless of any GPO Logon Rights.
440
441 It is possible to add a PAM service name to the default set by
442 using “+service_name”. Since the default set is empty, it is not
443 possible to remove a PAM service name from the default set. For
444 example, in order to add a custom pam service name (e.g.
445 “my_pam_service”), you would use the following configuration:
446
447 ad_gpo_map_deny = +my_pam_service
448
449
450 Default: not set
451
452 ad_gpo_default_right (string)
453 This option defines how access control is evaluated for PAM service
454 names that are not explicitly listed in one of the ad_gpo_map_*
455 options. This option can be set in two different manners. First,
456 this option can be set to use a default logon right. For example,
457 if this option is set to 'interactive', it means that unmapped PAM
458 service names will be processed based on the InteractiveLogonRight
459 and DenyInteractiveLogonRight policy settings. Alternatively, this
460 option can be set to either always permit or always deny access for
461 unmapped PAM service names.
462
463 Supported values for this option include:
464
465 · interactive
466
467 · remote_interactive
468
469 · network
470
471 · batch
472
473 · service
474
475 · permit
476
477 · deny
478
479 Default: deny
480
481 ad_maximum_machine_account_password_age (integer)
482 SSSD will check once a day if the machine account password is older
483 than the given age in days and try to renew it. A value of 0 will
484 disable the renewal attempt.
485
486 Default: 30 days
487
488 ad_machine_account_password_renewal_opts (string)
489 This option should only be used to test the machine account renewal
490 task. The option expects 2 integers separated by a colon (':'). The
491 first integer defines the interval in seconds how often the task is
492 run. The second specifies the initial timeout in seconds before the
493 task is run for the first time after startup.
494
495 Default: 86400:750 (24h and 15m)
496
497 dyndns_update (boolean)
498 Optional. This option tells SSSD to automatically update the Active
499 Directory DNS server with the IP address of this client. The update
500 is secured using GSS-TSIG. As a consequence, the Active Directory
501 administrator only needs to allow secure updates for the DNS zone.
502 The IP address of the AD LDAP connection is used for the updates,
503 if it is not otherwise specified by using the “dyndns_iface”
504 option.
505
506 NOTE: On older systems (such as RHEL 5), for this behavior to work
507 reliably, the default Kerberos realm must be set properly in
508 /etc/krb5.conf
509
510 Default: true
511
512 dyndns_ttl (integer)
513 The TTL to apply to the client DNS record when updating it. If
514 dyndns_update is false this has no effect. This will override the
515 TTL serverside if set by an administrator.
516
517 Default: 3600 (seconds)
518
519 dyndns_iface (string)
520 Optional. Applicable only when dyndns_update is true. Choose the
521 interface or a list of interfaces whose IP addresses should be used
522 for dynamic DNS updates. Special value “*” implies that IPs from
523 all interfaces should be used.
524
525 Default: Use the IP addresses of the interface which is used for AD
526 LDAP connection
527
528 Example: dyndns_iface = em1, vnet1, vnet2
529
530 dyndns_refresh_interval (integer)
531 How often should the back end perform periodic DNS update in
532 addition to the automatic update performed when the back end goes
533 online. This option is optional and applicable only when
534 dyndns_update is true. Note that the lowest possible value is 60
535 seconds in-case if value is provided less than 60, parameter will
536 assume lowest value only.
537
538 Default: 86400 (24 hours)
539
540 dyndns_update_ptr (bool)
541 Whether the PTR record should also be explicitly updated when
542 updating the client's DNS records. Applicable only when
543 dyndns_update is true.
544
545 Default: True
546
547 dyndns_force_tcp (bool)
548 Whether the nsupdate utility should default to using TCP for
549 communicating with the DNS server.
550
551 Default: False (let nsupdate choose the protocol)
552
553 dyndns_auth (string)
554 Whether the nsupdate utility should use GSS-TSIG authentication for
555 secure updates with the DNS server, insecure updates can be sent by
556 setting this option to 'none'.
557
558 Default: GSS-TSIG
559
560 dyndns_server (string)
561 The DNS server to use when performing a DNS update. In most setups,
562 it's recommended to leave this option unset.
563
564 Setting this option makes sense for environments where the DNS
565 server is different from the identity server.
566
567 Please note that this option will be only used in fallback attempt
568 when previous attempt using autodetected settings failed.
569
570 Default: None (let nsupdate choose the server)
571
572 dyndns_update_per_family (boolean)
573 DNS update is by default performed in two steps - IPv4 update and
574 then IPv6 update. In some cases it might be desirable to perform
575 IPv4 and IPv6 update in single step.
576
577 Default: true
578
579 override_homedir (string)
580 Override the user's home directory. You can either provide an
581 absolute value or a template. In the template, the following
582 sequences are substituted:
583
584 %u
585 login name
586
587 %U
588 UID number
589
590 %d
591 domain name
592
593 %f
594 fully qualified user name (user@domain)
595
596 %l
597 The first letter of the login name.
598
599 %P
600 UPN - User Principal Name (name@REALM)
601
602 %o
603 The original home directory retrieved from the identity
604 provider.
605
606 %H
607 The value of configure option homedir_substring.
608
609 %%
610 a literal '%'
611
612 This option can also be set per-domain.
613
614 example:
615
616 override_homedir = /home/%u
617
618
619 Default: Not set (SSSD will use the value retrieved from LDAP)
620
621 homedir_substring (string)
622 The value of this option will be used in the expansion of the
623 override_homedir option if the template contains the format string
624 %H. An LDAP directory entry can directly contain this template so
625 that this option can be used to expand the home directory path for
626 each client machine (or operating system). It can be set per-domain
627 or globally in the [nss] section. A value specified in a domain
628 section will override one set in the [nss] section.
629
630 Default: /home
631
632 krb5_confd_path (string)
633 Absolute path of a directory where SSSD should place Kerberos
634 configuration snippets.
635
636 To disable the creation of the configuration snippets set the
637 parameter to 'none'.
638
639 Default: not set (krb5.include.d subdirectory of SSSD's pubconf
640 directory)
641
643 Certain option defaults do not match their respective backend provider
644 defaults, these option names and AD provider-specific defaults are
645 listed below:
646
647 KRB5 Provider
648 · krb5_validate = true
649
650 · krb5_use_enterprise_principal = true
651
652 LDAP Provider
653 · ldap_schema = ad
654
655 · ldap_force_upper_case_realm = true
656
657 · ldap_id_mapping = true
658
659 · ldap_sasl_mech = gssapi
660
661 · ldap_referrals = false
662
663 · ldap_account_expire_policy = ad
664
665 · ldap_use_tokengroups = true
666
667 · ldap_sasl_authid = sAMAccountName@REALM (typically
668 SHORTNAME$@REALM)
669
670 The AD provider looks for a different principal than the LDAP
671 provider by default, because in an Active Directory environment the
672 principals are divided into two groups - User Principals and
673 Service Principals. Only User Principal can be used to obtain a TGT
674 and by default, computer object's principal is constructed from its
675 sAMAccountName and the AD realm. The well-known host/hostname@REALM
676 principal is a Service Principal and thus cannot be used to get a
677 TGT with.
678
679 NSS configuration
680 · fallback_homedir = /home/%d/%u
681
682 The AD provider automatically sets "fallback_homedir = /home/%d/%u"
683 to provide personal home directories for users without the
684 homeDirectory attribute. If your AD Domain is properly populated
685 with Posix attributes, and you want to avoid this fallback
686 behavior, you can explicitly set "fallback_homedir = %o".
687
689 The failover feature allows back ends to automatically switch to a
690 different server if the current server fails.
691
692 Failover Syntax
693 The list of servers is given as a comma-separated list; any number of
694 spaces is allowed around the comma. The servers are listed in order of
695 preference. The list can contain any number of servers.
696
697 For each failover-enabled config option, two variants exist: primary
698 and backup. The idea is that servers in the primary list are preferred
699 and backup servers are only searched if no primary servers can be
700 reached. If a backup server is selected, a timeout of 31 seconds is
701 set. After this timeout SSSD will periodically try to reconnect to one
702 of the primary servers. If it succeeds, it will replace the current
703 active (backup) server.
704
705 The Failover Mechanism
706 The failover mechanism distinguishes between a machine and a service.
707 The back end first tries to resolve the hostname of a given machine; if
708 this resolution attempt fails, the machine is considered offline. No
709 further attempts are made to connect to this machine for any other
710 service. If the resolution attempt succeeds, the back end tries to
711 connect to a service on this machine. If the service connection attempt
712 fails, then only this particular service is considered offline and the
713 back end automatically switches over to the next service. The machine
714 is still considered online and might still be tried for another
715 service.
716
717 Further connection attempts are made to machines or services marked as
718 offline after a specified period of time; this is currently hard coded
719 to 30 seconds.
720
721 If there are no more machines to try, the back end as a whole switches
722 to offline mode, and then attempts to reconnect every 30 seconds.
723
724 Failover time outs and tuning
725 Resolving a server to connect to can be as simple as running a single
726 DNS query or can involve several steps, such as finding the correct
727 site or trying out multiple host names in case some of the configured
728 servers are not reachable. The more complex scenarios can take some
729 time and SSSD needs to balance between providing enough time to finish
730 the resolution process but on the other hand, not trying for too long
731 before falling back to offline mode. If the SSSD debug logs show that
732 the server resolution is timing out before a live server is contacted,
733 you can consider changing the time outs.
734
735 This section lists the available tunables. Please refer to their
736 description in the sssd.conf(5), manual page.
737
738 dns_resolver_server_timeout
739 Time in milliseconds that sets how long would SSSD talk to a single
740 DNS server before trying next one.
741
742 Default: 1000
743
744 dns_resolver_op_timeout
745 Time in seconds to tell how long would SSSD try to resolve single
746 DNS query (e.g. resolution of a hostname or an SRV record) before
747 trying the next hostname or discovery domain.
748
749 Default: 2
750
751 dns_resolver_timeout
752 How long would SSSD try to resolve a failover service. This service
753 resolution internally might include several steps, such as
754 resolving DNS SRV queries or locating the site.
755
756 Default: 4
757
758 For LDAP-based providers, the resolve operation is performed as part of
759 an LDAP connection operation. Therefore, also the “ldap_opt_timeout>”
760 timeout should be set to a larger value than “dns_resolver_timeout”
761 which in turn should be set to a larger value than
762 “dns_resolver_op_timeout” which should be larger than
763 “dns_resolver_server_timeout”.
764
766 The service discovery feature allows back ends to automatically find
767 the appropriate servers to connect to using a special DNS query. This
768 feature is not supported for backup servers.
769
770 Configuration
771 If no servers are specified, the back end automatically uses service
772 discovery to try to find a server. Optionally, the user may choose to
773 use both fixed server addresses and service discovery by inserting a
774 special keyword, “_srv_”, in the list of servers. The order of
775 preference is maintained. This feature is useful if, for example, the
776 user prefers to use service discovery whenever possible, and fall back
777 to a specific server when no servers can be discovered using DNS.
778
779 The domain name
780 Please refer to the “dns_discovery_domain” parameter in the
781 sssd.conf(5) manual page for more details.
782
783 The protocol
784 The queries usually specify _tcp as the protocol. Exceptions are
785 documented in respective option description.
786
787 See Also
788 For more information on the service discovery mechanism, refer to RFC
789 2782.
790
792 The ID-mapping feature allows SSSD to act as a client of Active
793 Directory without requiring administrators to extend user attributes to
794 support POSIX attributes for user and group identifiers.
795
796 NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
797 attributes are ignored. This is to avoid the possibility of conflicts
798 between automatically-assigned and manually-assigned values. If you
799 need to use manually-assigned values, ALL values must be
800 manually-assigned.
801
802 Please note that changing the ID mapping related configuration options
803 will cause user and group IDs to change. At the moment, SSSD does not
804 support changing IDs, so the SSSD database must be removed. Because
805 cached passwords are also stored in the database, removing the database
806 should only be performed while the authentication servers are
807 reachable, otherwise users might get locked out. In order to cache the
808 password, an authentication must be performed. It is not sufficient to
809 use sss_cache(8) to remove the database, rather the process consists
810 of:
811
812 · Making sure the remote servers are reachable
813
814 · Stopping the SSSD service
815
816 · Removing the database
817
818 · Starting the SSSD service
819
820 Moreover, as the change of IDs might necessitate the adjustment of
821 other system properties such as file and directory ownership, it's
822 advisable to plan ahead and test the ID mapping configuration
823 thoroughly.
824
825 Mapping Algorithm
826 Active Directory provides an objectSID for every user and group object
827 in the directory. This objectSID can be broken up into components that
828 represent the Active Directory domain identity and the relative
829 identifier (RID) of the user or group object.
830
831 The SSSD ID-mapping algorithm takes a range of available UIDs and
832 divides it into equally-sized component sections - called "slices"-.
833 Each slice represents the space available to an Active Directory
834 domain.
835
836 When a user or group entry for a particular domain is encountered for
837 the first time, the SSSD allocates one of the available slices for that
838 domain. In order to make this slice-assignment repeatable on different
839 client machines, we select the slice based on the following algorithm:
840
841 The SID string is passed through the murmurhash3 algorithm to convert
842 it to a 32-bit hashed value. We then take the modulus of this value
843 with the total number of available slices to pick the slice.
844
845 NOTE: It is possible to encounter collisions in the hash and subsequent
846 modulus. In these situations, we will select the next available slice,
847 but it may not be possible to reproduce the same exact set of slices on
848 other machines (since the order that they are encountered will
849 determine their slice). In this situation, it is recommended to either
850 switch to using explicit POSIX attributes in Active Directory
851 (disabling ID-mapping) or configure a default domain to guarantee that
852 at least one is always consistent. See “Configuration” for details.
853
854 Configuration
855 Minimum configuration (in the “[domain/DOMAINNAME]” section):
856
857 ldap_id_mapping = True
858 ldap_schema = ad
859
860 The default configuration results in configuring 10,000 slices, each
861 capable of holding up to 200,000 IDs, starting from 200,000 and going
862 up to 2,000,200,000. This should be sufficient for most deployments.
863
864 Advanced Configuration
865 ldap_idmap_range_min (integer)
866 Specifies the lower bound of the range of POSIX IDs to use for
867 mapping Active Directory user and group SIDs.
868
869 NOTE: This option is different from “min_id” in that “min_id”
870 acts to filter the output of requests to this domain, whereas
871 this option controls the range of ID assignment. This is a
872 subtle distinction, but the good general advice would be to
873 have “min_id” be less-than or equal to “ldap_idmap_range_min”
874
875 Default: 200000
876
877 ldap_idmap_range_max (integer)
878 Specifies the upper bound of the range of POSIX IDs to use for
879 mapping Active Directory user and group SIDs.
880
881 NOTE: This option is different from “max_id” in that “max_id”
882 acts to filter the output of requests to this domain, whereas
883 this option controls the range of ID assignment. This is a
884 subtle distinction, but the good general advice would be to
885 have “max_id” be greater-than or equal to
886 “ldap_idmap_range_max”
887
888 Default: 2000200000
889
890 ldap_idmap_range_size (integer)
891 Specifies the number of IDs available for each slice. If the
892 range size does not divide evenly into the min and max values,
893 it will create as many complete slices as it can.
894
895 NOTE: The value of this option must be at least as large as the
896 highest user RID planned for use on the Active Directory
897 server. User lookups and login will fail for any user whose RID
898 is greater than this value.
899
900 For example, if your most recently-added Active Directory user
901 has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
902 “ldap_idmap_range_size” must be at least 1108 as range size is
903 equal to maximal SID minus minimal SID plus one (e.g. 1108 =
904 1107 - 0 + 1).
905
906 It is important to plan ahead for future expansion, as changing
907 this value will result in changing all of the ID mappings on
908 the system, leading to users with different local IDs than they
909 previously had.
910
911 Default: 200000
912
913 ldap_idmap_default_domain_sid (string)
914 Specify the domain SID of the default domain. This will
915 guarantee that this domain will always be assigned to slice
916 zero in the ID map, bypassing the murmurhash algorithm
917 described above.
918
919 Default: not set
920
921 ldap_idmap_default_domain (string)
922 Specify the name of the default domain.
923
924 Default: not set
925
926 ldap_idmap_autorid_compat (boolean)
927 Changes the behavior of the ID-mapping algorithm to behave more
928 similarly to winbind's “idmap_autorid” algorithm.
929
930 When this option is configured, domains will be allocated
931 starting with slice zero and increasing monatomically with each
932 additional domain.
933
934 NOTE: This algorithm is non-deterministic (it depends on the
935 order that users and groups are requested). If this mode is
936 required for compatibility with machines running winbind, it is
937 recommended to also use the “ldap_idmap_default_domain_sid”
938 option to guarantee that at least one domain is consistently
939 allocated to slice zero.
940
941 Default: False
942
943 ldap_idmap_helper_table_size (integer)
944 Maximal number of secondary slices that is tried when
945 performing mapping from UNIX id to SID.
946
947 Note: Additional secondary slices might be generated when SID
948 is being mapped to UNIX id and RID part of SID is out of range
949 for secondary slices generated so far. If value of
950 ldap_idmap_helper_table_size is equal to 0 then no additional
951 secondary slices are generated.
952
953 Default: 10
954
955 Well-Known SIDs
956 SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
957 special hardcoded meaning. Since the generic users and groups related
958 to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
959 no POSIX IDs are available for those objects.
960
961 The SID name space is organized in authorities which can be seen as
962 different domains. The authorities for the Well-Known SIDs are
963
964 · Null Authority
965
966 · World Authority
967
968 · Local Authority
969
970 · Creator Authority
971
972 · NT Authority
973
974 · Built-in
975
976 The capitalized version of these names are used as domain names when
977 returning the fully qualified name of a Well-Known SID.
978
979 Since some utilities allow to modify SID based access control
980 information with the help of a name instead of using the SID directly
981 SSSD supports to look up the SID by the name as well. To avoid
982 collisions only the fully qualified names can be used to look up
983 Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
984 AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
985 “BUILTIN” should not be used as domain names in sssd.conf.
986
988 The following example assumes that SSSD is correctly configured and
989 example.com is one of the domains in the [sssd] section. This example
990 shows only the AD provider-specific options.
991
992 [domain/EXAMPLE]
993 id_provider = ad
994 auth_provider = ad
995 access_provider = ad
996 chpass_provider = ad
997
998 ad_server = dc1.example.com
999 ad_hostname = client.example.com
1000 ad_domain = example.com
1001
1002
1004 The AD access control provider checks if the account is expired. It has
1005 the same effect as the following configuration of the LDAP provider:
1006
1007 access_provider = ldap
1008 ldap_access_order = expire
1009 ldap_account_expire_policy = ad
1010
1011 However, unless the “ad” access control provider is explicitly
1012 configured, the default access provider is “permit”. Please note that
1013 if you configure an access provider other than “ad”, you need to set
1014 all the connection parameters (such as LDAP URIs and encryption
1015 details) manually.
1016
1017 When the autofs provider is set to “ad”, the RFC2307 schema attribute
1018 mapping (nisMap, nisObject, ...) is used, because these attributes are
1019 included in the default Active Directory schema.
1020
1022 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1023 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
1024 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
1025 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1026 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
1027 sssd-systemtap(5)
1028
1030 The SSSD upstream - https://pagure.io/SSSD/sssd/
1031
1033 1. [MS-ADTS] section LDAP extensions
1034 https://msdn.microsoft.com/en-us/library/cc223367.aspx
1035
1036
1037
1038SSSD 10/22/2019 SSSD-AD(5)