1SSSD-AD(5) File Formats and Conventions SSSD-AD(5)
2
3
4
6 sssd-ad - SSSD Active Directory provider
7
9 This manual page describes the configuration of the AD provider for
10 sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11 section of the sssd.conf(5) manual page.
12
13 The AD provider is a back end used to connect to an Active Directory
14 server. This provider requires that the machine be joined to the AD
15 domain and a keytab is available.
16
17 The AD provider supports connecting to Active Directory 2008 R2 or
18 later. Earlier versions may work, but are unsupported.
19
20 The AD provider can be used to get user information and authenticate
21 users from trusted domains. Currently only trusted domains in the same
22 forest are recognized. In addition servers from trusted domains are
23 always auto-discovered.
24
25 The AD provider accepts the same options used by the sssd-ldap(5)
26 identity provider and the sssd-krb5(5) authentication provider with
27 some exceptions described below.
28
29 However, it is neither necessary nor recommended to set these options.
30 The AD provider can also be used as an access, chpass, sudo and autofs
31 provider. No configuration of the access provider is required on the
32 client side.
33
34 By default, the AD provider will map UID and GID values from the
35 objectSID parameter in Active Directory. For details on this, see the
36 “ID MAPPING” section below. If you want to disable ID mapping and
37 instead rely on POSIX attributes defined in Active Directory, you
38 should set
39
40 ldap_id_mapping = False
41
42
43 In order to retrieve users and groups using POSIX attributes from
44 trusted domains, the AD administrator must make sure that the POSIX
45 attributes are replicated to the Global Catalog.
46
47 Users, groups and other entities served by SSSD are always treated as
48 case-insensitive in the AD provider for compatibility with Active
49 Directory´s LDAP implementation.
50
52 Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
53 for details on the configuration of an SSSD domain.
54
55 ad_domain (string)
56 Specifies the name of the Active Directory domain. This is
57 optional. If not provided, the configuration domain name is used.
58
59 For proper operation, this option should be specified as the
60 lower-case version of the long version of the Active Directory
61 domain.
62
63 The short domain name (also known as the NetBIOS or the flat name)
64 is autodetected by the SSSD.
65
66 ad_enabled_domains (string)
67 A comma-separated list of enabled Active Directory domains. If
68 provided, SSSD will ignore any domains not listed in this option.
69 If left unset, all domains from the AD forest will be available.
70
71 For proper operation, this option must be specified in all
72 lower-case and as the fully qualified domain name of the Active
73 Directory domain. For example:
74
75 ad_enabled_domains = sales.example.com, eng.example.com
76
77
78 The short domain name (also known as the NetBIOS or the flat name)
79 will be autodetected by SSSD.
80
81 Default: Not set
82
83 ad_server, ad_backup_server (string)
84 The comma-separated list of hostnames of the AD servers to which
85 SSSD should connect in order of preference. For more information on
86 failover and server redundancy, see the “FAILOVER” section.
87
88 This is optional if autodiscovery is enabled. For more information
89 on service discovery, refer to the “SERVICE DISCOVERY” section.
90
91 Note: Trusted domains will always auto-discover servers even if the
92 primary server is explicitly defined in the ad_server option.
93
94 ad_hostname (string)
95 Optional. May be set on machines where the hostname(5) does not
96 reflect the fully qualified name used in the Active Directory
97 domain to identify this host.
98
99 This field is used to determine the host principal in use in the
100 keytab. It must match the hostname for which the keytab was issued.
101
102 ad_enable_dns_sites (boolean)
103 Enables DNS sites - location based service discovery.
104
105 If true and service discovery (see Service Discovery paragraph at
106 the bottom of the man page) is enabled, the SSSD will first attempt
107 to discover the Active Directory server to connect to using the
108 Active Directory Site Discovery and fall back to the DNS SRV
109 records if no AD site is found. The DNS SRV configuration,
110 including the discovery domain, is used during site discovery as
111 well.
112
113 Default: true
114
115 ad_access_filter (string)
116 This option specifies LDAP access control filter that the user must
117 match in order to be allowed access. Please note that the
118 “access_provider” option must be explicitly set to “ad” in order
119 for this option to have an effect.
120
121 The option also supports specifying different filters per domain or
122 forest. This extended filter would consist of:
123 “KEYWORD:NAME:FILTER”. The keyword can be either “DOM”, “FOREST” or
124 missing.
125
126 If the keyword equals to “DOM” or is missing, then “NAME” specifies
127 the domain or subdomain the filter applies to. If the keyword
128 equals to “FOREST”, then the filter equals to all domains from the
129 forest specified by “NAME”.
130
131 Multiple filters can be separated with the “?” character,
132 similarly to how search bases work.
133
134 The most specific match is always used. For example, if the option
135 specified filter for a domain the user is a member of and a global
136 filter, the per-domain filter would be applied. If there are more
137 matches with the same specification, the first one is used.
138
139 Examples:
140
141 # apply filter on domain called dom1 only:
142 dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
143
144 # apply filter on domain called dom2 only:
145 DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
146
147 # apply filter on forest called EXAMPLE.COM only:
148 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
149
150
151 Default: Not set
152
153 ad_site (string)
154 Specify AD site to which client should try to connect. If this
155 option is not provided, the AD site will be auto-discovered.
156
157 Default: Not set
158
159 ad_enable_gc (boolean)
160 By default, the SSSD connects to the Global Catalog first to
161 retrieve users from trusted domains and uses the LDAP port to
162 retrieve group memberships or as a fallback. Disabling this option
163 makes the SSSD only connect to the LDAP port of the current AD
164 server.
165
166 Please note that disabling Global Catalog support does not disable
167 retrieving users from trusted domains. The SSSD would connect to
168 the LDAP port of trusted domains instead. However, Global Catalog
169 must be used in order to resolve cross-domain group memberships.
170
171 Default: true
172
173 ad_gpo_access_control (string)
174 This option specifies the operation mode for GPO-based access
175 control functionality: whether it operates in disabled mode,
176 enforcing mode, or permissive mode. Please note that the
177 “access_provider” option must be explicitly set to “ad” in order
178 for this option to have an effect.
179
180 GPO-based access control functionality uses GPO policy settings to
181 determine whether or not a particular user is allowed to logon to a
182 particular host.
183
184 NOTE: If the operation mode is set to enforcing, it is possible
185 that users that were previously allowed logon access will now be
186 denied logon access (as dictated by the GPO policy settings). In
187 order to facilitate a smooth transition for administrators, a
188 permissive mode is available that will not enforce the access
189 control rules, but will evaluate them and will output a syslog
190 message if access would have been denied. By examining the logs,
191 administrators can then make the necessary changes before setting
192 the mode to enforcing.
193
194 There are three supported values for this option:
195
196 · disabled: GPO-based access control rules are neither evaluated
197 nor enforced.
198
199 · enforcing: GPO-based access control rules are evaluated and
200 enforced.
201
202 · permissive: GPO-based access control rules are evaluated, but
203 not enforced. Instead, a syslog message will be emitted
204 indicating that the user would have been denied access if this
205 option´s value were set to enforcing.
206
207 Default: permissive
208
209 ad_gpo_cache_timeout (integer)
210 The amount of time between lookups of GPO policy files against
211 the AD server. This will reduce the latency and load on the AD
212 server if there are many access-control requests made in a
213 short period.
214
215 Default: 5 (seconds)
216
217 ad_gpo_map_interactive (string)
218 A comma-separated list of PAM service names for which GPO-based
219 access control is evaluated based on the InteractiveLogonRight
220 and DenyInteractiveLogonRight policy settings.
221
222 Note: Using the Group Policy Management Editor this value is
223 called "Allow log on locally" and "Deny log on locally".
224
225 It is possible to add another PAM service name to the default
226 set by using “+service_name” or to explicitly remove a PAM
227 service name from the default set by using “-service_name”. For
228 example, in order to replace a default PAM service name for
229 this logon right (e.g. “login”) with a custom pam service name
230 (e.g. “my_pam_service”), you would use the following
231 configuration:
232
233 ad_gpo_map_interactive = +my_pam_service, -login
234
235
236 Default: the default set of PAM service names includes:
237
238 · login
239
240 · su
241
242 · su-l
243
244 · gdm-fingerprint
245
246 · gdm-password
247
248 · gdm-smartcard
249
250 · kdm
251
252 ad_gpo_map_remote_interactive (string)
253 A comma-separated list of PAM service names for which
254 GPO-based access control is evaluated based on the
255 RemoteInteractiveLogonRight and
256 DenyRemoteInteractiveLogonRight policy settings.
257
258 Note: Using the Group Policy Management Editor this value
259 is called "Allow log on through Remote Desktop Services"
260 and "Deny log on through Remote Desktop Services".
261
262 It is possible to add another PAM service name to the
263 default set by using “+service_name” or to explicitly
264 remove a PAM service name from the default set by using
265 “-service_name”. For example, in order to replace a default
266 PAM service name for this logon right (e.g. “sshd”) with a
267 custom pam service name (e.g. “my_pam_service”), you would
268 use the following configuration:
269
270 ad_gpo_map_remote_interactive = +my_pam_service, -sshd
271
272
273 Default: the default set of PAM service names includes:
274
275 · sshd
276
277 ad_gpo_map_network (string)
278 A comma-separated list of PAM service names for which
279 GPO-based access control is evaluated based on the
280 NetworkLogonRight and DenyNetworkLogonRight policy
281 settings.
282
283 Note: Using the Group Policy Management Editor this
284 value is called "Access this computer from the network"
285 and "Deny access to this computer from the network".
286
287 It is possible to add another PAM service name to the
288 default set by using “+service_name” or to explicitly
289 remove a PAM service name from the default set by using
290 “-service_name”. For example, in order to replace a
291 default PAM service name for this logon right (e.g.
292 “ftp”) with a custom pam service name (e.g.
293 “my_pam_service”), you would use the following
294 configuration:
295
296 ad_gpo_map_network = +my_pam_service, -ftp
297
298
299 Default: the default set of PAM service names includes:
300
301 · ftp
302
303 · samba
304
305 ad_gpo_map_batch (string)
306 A comma-separated list of PAM service names for
307 which GPO-based access control is evaluated based
308 on the BatchLogonRight and DenyBatchLogonRight
309 policy settings.
310
311 Note: Using the Group Policy Management Editor this
312 value is called "Allow log on as a batch job" and
313 "Deny log on as a batch job".
314
315 It is possible to add another PAM service name to
316 the default set by using “+service_name” or to
317 explicitly remove a PAM service name from the
318 default set by using “-service_name”. For example,
319 in order to replace a default PAM service name for
320 this logon right (e.g. “crond”) with a custom pam
321 service name (e.g. “my_pam_service”), you would
322 use the following configuration:
323
324 ad_gpo_map_batch = +my_pam_service, -crond
325
326
327 Default: the default set of PAM service names
328 includes:
329
330 · crond
331
332 ad_gpo_map_service (string)
333 A comma-separated list of PAM service names for
334 which GPO-based access control is evaluated
335 based on the ServiceLogonRight and
336 DenyServiceLogonRight policy settings.
337
338 Note: Using the Group Policy Management Editor
339 this value is called "Allow log on as a
340 service" and "Deny log on as a service".
341
342 It is possible to add a PAM service name to the
343 default set by using “+service_name”. Since the
344 default set is empty, it is not possible to
345 remove a PAM service name from the default set.
346 For example, in order to add a custom pam
347 service name (e.g. “my_pam_service”), you
348 would use the following configuration:
349
350 ad_gpo_map_service = +my_pam_service
351
352
353 Default: not set
354
355 ad_gpo_map_permit (string)
356 A comma-separated list of PAM service names for
357 which GPO-based access is always granted,
358 regardless of any GPO Logon Rights.
359
360 It is possible to add another PAM service name
361 to the default set by using “+service_name” or
362 to explicitly remove a PAM service name from
363 the default set by using “-service_name”. For
364 example, in order to replace a default PAM
365 service name for unconditionally permitted
366 access (e.g. “sudo”) with a custom pam service
367 name (e.g. “my_pam_service”), you would use
368 the following configuration:
369
370 ad_gpo_map_permit = +my_pam_service, -sudo
371
372
373 Default: the default set of PAM service names
374 includes:
375
376 · sudo
377
378 · sudo-i
379
380 · systemd-user
381
382 ad_gpo_map_deny (string)
383 A comma-separated list of PAM service names
384 for which GPO-based access is always
385 denied, regardless of any GPO Logon Rights.
386
387 It is possible to add a PAM service name to
388 the default set by using “+service_name”.
389 Since the default set is empty, it is not
390 possible to remove a PAM service name from
391 the default set. For example, in order to
392 add a custom pam service name (e.g.
393 “my_pam_service”), you would use the
394 following configuration:
395
396 ad_gpo_map_deny = +my_pam_service
397
398
399 Default: not set
400
401 ad_gpo_default_right (string)
402 This option defines how access control is
403 evaluated for PAM service names that are
404 not explicitly listed in one of the
405 ad_gpo_map_* options. This option can be
406 set in two different manners. First, this
407 option can be set to use a default logon
408 right. For example, if this option is set
409 to ´interactive´, it means that unmapped
410 PAM service names will be processed based
411 on the InteractiveLogonRight and
412 DenyInteractiveLogonRight policy settings.
413 Alternatively, this option can be set to
414 either always permit or always deny access
415 for unmapped PAM service names.
416
417 Supported values for this option include:
418
419 · interactive
420
421 · remote_interactive
422
423 · network
424
425 · batch
426
427 · service
428
429 · permit
430
431 · deny
432
433 Default: deny
434
435 ad_maximum_machine_account_password_age
436 (integer)
437 SSSD will check once a day if the
438 machine account password is older than
439 the given age in days and try to renew
440 it. A value of 0 will disable the
441 renewal attempt.
442
443 Default: 30 days
444
445 ad_machine_account_password_renewal_opts
446 (string)
447 This option should only be used to test
448 the machine account renewal task. The
449 option expect 2 integers seperated by a
450 colon (´:´). The first integer defines
451 the interval in seconds how often the
452 task is run. The second specifies the
453 inital timeout in seconds before the
454 task is run for the first time after
455 startup.
456
457 Default: 86400:750 (24h and 15m)
458
459 dyndns_update (boolean)
460 Optional. This option tells SSSD to
461 automatically update the Active
462 Directory DNS server with the IP
463 address of this client. The update is
464 secured using GSS-TSIG. As a
465 consequence, the Active Directory
466 administrator only needs to allow
467 secure updates for the DNS zone. The IP
468 address of the AD LDAP connection is
469 used for the updates, if it is not
470 otherwise specified by using the
471 “dyndns_iface” option.
472
473 NOTE: On older systems (such as RHEL
474 5), for this behavior to work reliably,
475 the default Kerberos realm must be set
476 properly in /etc/krb5.conf
477
478 Default: true
479
480 dyndns_ttl (integer)
481 The TTL to apply to the client DNS
482 record when updating it. If
483 dyndns_update is false this has no
484 effect. This will override the TTL
485 serverside if set by an administrator.
486
487 Default: 3600 (seconds)
488
489 dyndns_iface (string)
490 Optional. Applicable only when
491 dyndns_update is true. Choose the
492 interface or a list of interfaces whose
493 IP addresses should be used for dynamic
494 DNS updates. Special value “*” implies
495 that IPs from all interfaces should be
496 used.
497
498 Default: Use the IP addresses of the
499 interface which is used for AD LDAP
500 connection
501
502 Example: dyndns_iface = em1, vnet1,
503 vnet2
504
505 dyndns_refresh_interval (integer)
506 How often should the back end perform
507 periodic DNS update in addition to the
508 automatic update performed when the
509 back end goes online. This option is
510 optional and applicable only when
511 dyndns_update is true.
512
513 Default: 86400 (24 hours)
514
515 dyndns_update_ptr (bool)
516 Whether the PTR record should also be
517 explicitly updated when updating the
518 client´s DNS records. Applicable only
519 when dyndns_update is true.
520
521 Default: True
522
523 dyndns_force_tcp (bool)
524 Whether the nsupdate utility should
525 default to using TCP for communicating
526 with the DNS server.
527
528 Default: False (let nsupdate choose the
529 protocol)
530
531 dyndns_server (string)
532 The DNS server to use when performing a
533 DNS update. In most setups, it´s
534 recommended to leave this option unset.
535
536 Setting this option makes sense for
537 environments where the DNS server is
538 different from the identity server.
539
540 Please note that this option will be
541 only used in fallback attempt when
542 previous attempt using autodetected
543 settings failed.
544
545 Default: None (let nsupdate choose the
546 server)
547
548 override_homedir (string)
549 Override the user´s home directory. You
550 can either provide an absolute value or
551 a template. In the template, the
552 following sequences are substituted:
553
554 %u
555 login name
556
557 %U
558 UID number
559
560 %d
561 domain name
562
563 %f
564 fully qualified user name
565 (user@domain)
566
567 %P
568 UPN - User Principal Name
569 (name@REALM)
570
571 %o
572 The original home directory
573 retrieved from the identity
574 provider.
575
576 %H
577 The value of configure option
578 homedir_substring.
579
580 %%
581 a literal ´%´
582
583 This option can also be set per-domain.
584
585 example:
586
587 override_homedir = /home/%u
588
589
590 Default: Not set (SSSD will use the
591 value retrieved from LDAP)
592
593 homedir_substring (string)
594 The value of this option will be used
595 in the expansion of the
596 override_homedir option if the template
597 contains the format string %H. An LDAP
598 directory entry can directly contain
599 this template so that this option can
600 be used to expand the home directory
601 path for each client machine (or
602 operating system). It can be set
603 per-domain or globally in the [nss]
604 section. A value specified in a domain
605 section will override one set in the
606 [nss] section.
607
608 Default: /home
609
610 krb5_use_enterprise_principal (boolean)
611 Specifies if the user principal should
612 be treated as enterprise principal. See
613 section 5 of RFC 6806 for more details
614 about enterprise principals.
615
616 Default: true
617
618 Note that this default differs from the
619 traditional Kerberos provider back end.
620
621 krb5_confd_path (string)
622 Absolute path of a directory where SSSD
623 should place Kerberos configuration
624 snippets.
625
626 To disable the creation of the
627 configuration snippets set the
628 parameter to ´none´.
629
630 Default: not set (krb5.include.d
631 subdirectory of SSSD´s pubconf
632 directory)
633
635 The failover feature allows back ends to automatically switch to a
636 different server if the current server fails.
637
638 Failover Syntax
639 The list of servers is given as a comma-separated list; any number of
640 spaces is allowed around the comma. The servers are listed in order of
641 preference. The list can contain any number of servers.
642
643 For each failover-enabled config option, two variants exist: primary
644 and backup. The idea is that servers in the primary list are preferred
645 and backup servers are only searched if no primary servers can be
646 reached. If a backup server is selected, a timeout of 31 seconds is
647 set. After this timeout SSSD will periodically try to reconnect to one
648 of the primary servers. If it succeeds, it will replace the current
649 active (backup) server.
650
651 The Failover Mechanism
652 The failover mechanism distinguishes between a machine and a service.
653 The back end first tries to resolve the hostname of a given machine; if
654 this resolution attempt fails, the machine is considered offline. No
655 further attempts are made to connect to this machine for any other
656 service. If the resolution attempt succeeds, the back end tries to
657 connect to a service on this machine. If the service connection attempt
658 fails, then only this particular service is considered offline and the
659 back end automatically switches over to the next service. The machine
660 is still considered online and might still be tried for another
661 service.
662
663 Further connection attempts are made to machines or services marked as
664 offline after a specified period of time; this is currently hard coded
665 to 30 seconds.
666
667 If there are no more machines to try, the back end as a whole switches
668 to offline mode, and then attempts to reconnect every 30 seconds.
669
671 The service discovery feature allows back ends to automatically find
672 the appropriate servers to connect to using a special DNS query. This
673 feature is not supported for backup servers.
674
675 Configuration
676 If no servers are specified, the back end automatically uses service
677 discovery to try to find a server. Optionally, the user may choose to
678 use both fixed server addresses and service discovery by inserting a
679 special keyword, “_srv_”, in the list of servers. The order of
680 preference is maintained. This feature is useful if, for example, the
681 user prefers to use service discovery whenever possible, and fall back
682 to a specific server when no servers can be discovered using DNS.
683
684 The domain name
685 Please refer to the “dns_discovery_domain” parameter in the
686 sssd.conf(5) manual page for more details.
687
688 The protocol
689 The queries usually specify _tcp as the protocol. Exceptions are
690 documented in respective option description.
691
692 See Also
693 For more information on the service discovery mechanism, refer to RFC
694 2782.
695
697 The ID-mapping feature allows SSSD to act as a client of Active
698 Directory without requiring administrators to extend user attributes to
699 support POSIX attributes for user and group identifiers.
700
701 NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
702 attributes are ignored. This is to avoid the possibility of conflicts
703 between automatically-assigned and manually-assigned values. If you
704 need to use manually-assigned values, ALL values must be
705 manually-assigned.
706
707 Please note that changing the ID mapping related configuration options
708 will cause user and group IDs to change. At the moment, SSSD does not
709 support changing IDs, so the SSSD database must be removed. Because
710 cached passwords are also stored in the database, removing the database
711 should only be performed while the authentication servers are
712 reachable, otherwise users might get locked out. In order to cache the
713 password, an authentication must be performed. It is not sufficient to
714 use sss_cache(8) to remove the database, rather the process consists
715 of:
716
717 · Making sure the remote servers are reachable
718
719 · Stopping the SSSD service
720
721 · Removing the database
722
723 · Starting the SSSD service
724
725 Moreover, as the change of IDs might necessitate the adjustment of
726 other system properties such as file and directory ownership, it´s
727 advisable to plan ahead and test the ID mapping configuration
728 thoroughly.
729
730 Mapping Algorithm
731 Active Directory provides an objectSID for every user and group object
732 in the directory. This objectSID can be broken up into components that
733 represent the Active Directory domain identity and the relative
734 identifier (RID) of the user or group object.
735
736 The SSSD ID-mapping algorithm takes a range of available UIDs and
737 divides it into equally-sized component sections - called "slices"-.
738 Each slice represents the space available to an Active Directory
739 domain.
740
741 When a user or group entry for a particular domain is encountered for
742 the first time, the SSSD allocates one of the available slices for that
743 domain. In order to make this slice-assignment repeatable on different
744 client machines, we select the slice based on the following algorithm:
745
746 The SID string is passed through the murmurhash3 algorithm to convert
747 it to a 32-bit hashed value. We then take the modulus of this value
748 with the total number of available slices to pick the slice.
749
750 NOTE: It is possible to encounter collisions in the hash and subsequent
751 modulus. In these situations, we will select the next available slice,
752 but it may not be possible to reproduce the same exact set of slices on
753 other machines (since the order that they are encountered will
754 determine their slice). In this situation, it is recommended to either
755 switch to using explicit POSIX attributes in Active Directory
756 (disabling ID-mapping) or configure a default domain to guarantee that
757 at least one is always consistent. See “Configuration” for details.
758
759 Configuration
760 Minimum configuration (in the “[domain/DOMAINNAME]” section):
761
762 ldap_id_mapping = True
763 ldap_schema = ad
764
765 The default configuration results in configuring 10,000 slices, each
766 capable of holding up to 200,000 IDs, starting from 10,001 and going up
767 to 2,000,100,000. This should be sufficient for most deployments.
768
769 Advanced Configuration
770 ldap_idmap_range_min (integer)
771 Specifies the lower bound of the range of POSIX IDs to use for
772 mapping Active Directory user and group SIDs.
773
774 NOTE: This option is different from “min_id” in that “min_id”
775 acts to filter the output of requests to this domain, whereas
776 this option controls the range of ID assignment. This is a
777 subtle distinction, but the good general advice would be to
778 have “min_id” be less-than or equal to “ldap_idmap_range_min”
779
780 Default: 200000
781
782 ldap_idmap_range_max (integer)
783 Specifies the upper bound of the range of POSIX IDs to use for
784 mapping Active Directory user and group SIDs.
785
786 NOTE: This option is different from “max_id” in that “max_id”
787 acts to filter the output of requests to this domain, whereas
788 this option controls the range of ID assignment. This is a
789 subtle distinction, but the good general advice would be to
790 have “max_id” be greater-than or equal to
791 “ldap_idmap_range_max”
792
793 Default: 2000200000
794
795 ldap_idmap_range_size (integer)
796 Specifies the number of IDs available for each slice. If the
797 range size does not divide evenly into the min and max values,
798 it will create as many complete slices as it can.
799
800 NOTE: The value of this option must be at least as large as the
801 highest user RID planned for use on the Active Directory
802 server. User lookups and login will fail for any user whose RID
803 is greater than this value.
804
805 For example, if your most recently-added Active Directory user
806 has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
807 “ldap_idmap_range_size” must be at least 1108 as range size is
808 equal to maximal SID minus minimal SID plus one (e.g. 1108 =
809 1107 - 0 + 1).
810
811 It is important to plan ahead for future expansion, as changing
812 this value will result in changing all of the ID mappings on
813 the system, leading to users with different local IDs than they
814 previously had.
815
816 Default: 200000
817
818 ldap_idmap_default_domain_sid (string)
819 Specify the domain SID of the default domain. This will
820 guarantee that this domain will always be assigned to slice
821 zero in the ID map, bypassing the murmurhash algorithm
822 described above.
823
824 Default: not set
825
826 ldap_idmap_default_domain (string)
827 Specify the name of the default domain.
828
829 Default: not set
830
831 ldap_idmap_autorid_compat (boolean)
832 Changes the behavior of the ID-mapping algorithm to behave more
833 similarly to winbind´s “idmap_autorid” algorithm.
834
835 When this option is configured, domains will be allocated
836 starting with slice zero and increasing monatomically with each
837 additional domain.
838
839 NOTE: This algorithm is non-deterministic (it depends on the
840 order that users and groups are requested). If this mode is
841 required for compatibility with machines running winbind, it is
842 recommended to also use the “ldap_idmap_default_domain_sid”
843 option to guarantee that at least one domain is consistently
844 allocated to slice zero.
845
846 Default: False
847
848 ldap_idmap_helper_table_size (integer)
849 Maximal number of secondary slices that is tried when
850 performing mapping from UNIX id to SID.
851
852 Note: Additional secondary slices might be generated when SID
853 is being mapped to UNIX id and RID part of SID is out of range
854 for secondary slices generated so far. If value of
855 ldap_idmap_helper_table_size is equal to 0 then no additional
856 secondary slices are generated.
857
858 Default: 10
859
860 Well-Known SIDs
861 SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
862 special hardcoded meaning. Since the generic users and groups related
863 to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
864 no POSIX IDs are available for those objects.
865
866 The SID name space is organized in authorities which can be seen as
867 different domains. The authorities for the Well-Known SIDs are
868
869 · Null Authority
870
871 · World Authority
872
873 · Local Authority
874
875 · Creator Authority
876
877 · NT Authority
878
879 · Built-in
880
881 The capitalized version of these names are used as domain names when
882 returning the fully qualified name of a Well-Known SID.
883
884 Since some utilities allow to modify SID based access control
885 information with the help of a name instead of using the SID directly
886 SSSD supports to look up the SID by the name as well. To avoid
887 collisions only the fully qualified names can be used to look up
888 Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
889 AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
890 “BUILTIN” should not be used as domain names in sssd.conf.
891
893 The following example assumes that SSSD is correctly configured and
894 example.com is one of the domains in the [sssd] section. This example
895 shows only the AD provider-specific options.
896
897 [domain/EXAMPLE]
898 id_provider = ad
899 auth_provider = ad
900 access_provider = ad
901 chpass_provider = ad
902
903 ad_server = dc1.example.com
904 ad_hostname = client.example.com
905 ad_domain = example.com
906
907
909 The AD access control provider checks if the account is expired. It has
910 the same effect as the following configuration of the LDAP provider:
911
912 access_provider = ldap
913 ldap_access_order = expire
914 ldap_account_expire_policy = ad
915
916 However, unless the “ad” access control provider is explicitly
917 configured, the default access provider is “permit”. Please note that
918 if you configure an access provider other than “ad”, you need to set
919 all the connection parameters (such as LDAP URIs and encryption
920 details) manually.
921
922 When the autofs provider is set to “ad”, the RFC2307 schema attribute
923 mapping (nisMap, nisObject, ...) is used, because these attributes are
924 included the default Active Directory schema.
925
927 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
928 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
929 sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
930 sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
931 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
932 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
933
935 The SSSD upstream - http://fedorahosted.org/sssd
936
937
938
939SSSD 01/15/2019 SSSD-AD(5)