1SSSD-AD(5)               File Formats and Conventions               SSSD-AD(5)
2
3
4

NAME

6       sssd-ad - SSSD Active Directory provider
7

DESCRIPTION

9       This manual page describes the configuration of the AD provider for
10       sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11       section of the sssd.conf(5) manual page.
12
13       The AD provider is a back end used to connect to an Active Directory
14       server. This provider requires that the machine be joined to the AD
15       domain and a keytab is available.
16
17       The AD provider supports connecting to Active Directory 2008 R2 or
18       later. Earlier versions may work, but are unsupported.
19
20       The AD provider can be used to get user information and authenticate
21       users from trusted domains. Currently only trusted domains in the same
22       forest are recognized. In addition servers from trusted domains are
23       always auto-discovered.
24
25       The AD provider accepts the same options used by the sssd-ldap(5)
26       identity provider and the sssd-krb5(5) authentication provider with
27       some exceptions described below.
28
29       However, it is neither necessary nor recommended to set these options.
30       The AD provider can also be used as an access, chpass, sudo and autofs
31       provider. No configuration of the access provider is required on the
32       client side.
33
34       By default, the AD provider will map UID and GID values from the
35       objectSID parameter in Active Directory. For details on this, see the
36       “ID MAPPING” section below. If you want to disable ID mapping and
37       instead rely on POSIX attributes defined in Active Directory, you
38       should set
39
40           ldap_id_mapping = False
41
42
43       In order to retrieve users and groups using POSIX attributes from
44       trusted domains, the AD administrator must make sure that the POSIX
45       attributes are replicated to the Global Catalog.
46
47       Users, groups and other entities served by SSSD are always treated as
48       case-insensitive in the AD provider for compatibility with Active
49       Directory´s LDAP implementation.
50

CONFIGURATION OPTIONS

52       Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
53       for details on the configuration of an SSSD domain.
54
55       ad_domain (string)
56           Specifies the name of the Active Directory domain. This is
57           optional. If not provided, the configuration domain name is used.
58
59           For proper operation, this option should be specified as the
60           lower-case version of the long version of the Active Directory
61           domain.
62
63           The short domain name (also known as the NetBIOS or the flat name)
64           is autodetected by the SSSD.
65
66       ad_enabled_domains (string)
67           A comma-separated list of enabled Active Directory domains. If
68           provided, SSSD will ignore any domains not listed in this option.
69           If left unset, all domains from the AD forest will be available.
70
71           For proper operation, this option must be specified in all
72           lower-case and as the fully qualified domain name of the Active
73           Directory domain. For example:
74
75               ad_enabled_domains = sales.example.com, eng.example.com
76
77
78           The short domain name (also known as the NetBIOS or the flat name)
79           will be autodetected by SSSD.
80
81           Default: Not set
82
83       ad_server, ad_backup_server (string)
84           The comma-separated list of hostnames of the AD servers to which
85           SSSD should connect in order of preference. For more information on
86           failover and server redundancy, see the “FAILOVER” section.
87
88           This is optional if autodiscovery is enabled. For more information
89           on service discovery, refer to the “SERVICE DISCOVERY” section.
90
91           Note: Trusted domains will always auto-discover servers even if the
92           primary server is explicitly defined in the ad_server option.
93
94       ad_hostname (string)
95           Optional. May be set on machines where the hostname(5) does not
96           reflect the fully qualified name used in the Active Directory
97           domain to identify this host.
98
99           This field is used to determine the host principal in use in the
100           keytab. It must match the hostname for which the keytab was issued.
101
102       ad_enable_dns_sites (boolean)
103           Enables DNS sites - location based service discovery.
104
105           If true and service discovery (see Service Discovery paragraph at
106           the bottom of the man page) is enabled, the SSSD will first attempt
107           to discover the Active Directory server to connect to using the
108           Active Directory Site Discovery and fall back to the DNS SRV
109           records if no AD site is found. The DNS SRV configuration,
110           including the discovery domain, is used during site discovery as
111           well.
112
113           Default: true
114
115       ad_access_filter (string)
116           This option specifies LDAP access control filter that the user must
117           match in order to be allowed access. Please note that the
118           “access_provider” option must be explicitly set to “ad” in order
119           for this option to have an effect.
120
121           The option also supports specifying different filters per domain or
122           forest. This extended filter would consist of:
123           “KEYWORD:NAME:FILTER”. The keyword can be either “DOM”, “FOREST” or
124           missing.
125
126           If the keyword equals to “DOM” or is missing, then “NAME” specifies
127           the domain or subdomain the filter applies to. If the keyword
128           equals to “FOREST”, then the filter equals to all domains from the
129           forest specified by “NAME”.
130
131           Multiple filters can be separated with the “?”  character,
132           similarly to how search bases work.
133
134           The most specific match is always used. For example, if the option
135           specified filter for a domain the user is a member of and a global
136           filter, the per-domain filter would be applied. If there are more
137           matches with the same specification, the first one is used.
138
139           Examples:
140
141               # apply filter on domain called dom1 only:
142               dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
143
144               # apply filter on domain called dom2 only:
145               DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
146
147               # apply filter on forest called EXAMPLE.COM only:
148               FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
149
150
151           Default: Not set
152
153       ad_site (string)
154           Specify AD site to which client should try to connect. If this
155           option is not provided, the AD site will be auto-discovered.
156
157           Default: Not set
158
159       ad_enable_gc (boolean)
160           By default, the SSSD connects to the Global Catalog first to
161           retrieve users from trusted domains and uses the LDAP port to
162           retrieve group memberships or as a fallback. Disabling this option
163           makes the SSSD only connect to the LDAP port of the current AD
164           server.
165
166           Please note that disabling Global Catalog support does not disable
167           retrieving users from trusted domains. The SSSD would connect to
168           the LDAP port of trusted domains instead. However, Global Catalog
169           must be used in order to resolve cross-domain group memberships.
170
171           Default: true
172
173       ad_gpo_access_control (string)
174           This option specifies the operation mode for GPO-based access
175           control functionality: whether it operates in disabled mode,
176           enforcing mode, or permissive mode. Please note that the
177           “access_provider” option must be explicitly set to “ad” in order
178           for this option to have an effect.
179
180           GPO-based access control functionality uses GPO policy settings to
181           determine whether or not a particular user is allowed to logon to a
182           particular host.
183
184           NOTE: If the operation mode is set to enforcing, it is possible
185           that users that were previously allowed logon access will now be
186           denied logon access (as dictated by the GPO policy settings). In
187           order to facilitate a smooth transition for administrators, a
188           permissive mode is available that will not enforce the access
189           control rules, but will evaluate them and will output a syslog
190           message if access would have been denied. By examining the logs,
191           administrators can then make the necessary changes before setting
192           the mode to enforcing.
193
194           There are three supported values for this option:
195
196           ·   disabled: GPO-based access control rules are neither evaluated
197               nor enforced.
198
199           ·   enforcing: GPO-based access control rules are evaluated and
200               enforced.
201
202           ·   permissive: GPO-based access control rules are evaluated, but
203               not enforced. Instead, a syslog message will be emitted
204               indicating that the user would have been denied access if this
205               option´s value were set to enforcing.
206
207               Default: permissive
208
209           ad_gpo_cache_timeout (integer)
210               The amount of time between lookups of GPO policy files against
211               the AD server. This will reduce the latency and load on the AD
212               server if there are many access-control requests made in a
213               short period.
214
215               Default: 5 (seconds)
216
217           ad_gpo_map_interactive (string)
218               A comma-separated list of PAM service names for which GPO-based
219               access control is evaluated based on the InteractiveLogonRight
220               and DenyInteractiveLogonRight policy settings.
221
222               Note: Using the Group Policy Management Editor this value is
223               called "Allow log on locally" and "Deny log on locally".
224
225               It is possible to add another PAM service name to the default
226               set by using “+service_name” or to explicitly remove a PAM
227               service name from the default set by using “-service_name”. For
228               example, in order to replace a default PAM service name for
229               this logon right (e.g.  “login”) with a custom pam service name
230               (e.g.  “my_pam_service”), you would use the following
231               configuration:
232
233                   ad_gpo_map_interactive = +my_pam_service, -login
234
235
236               Default: the default set of PAM service names includes:
237
238               ·   login
239
240               ·   su
241
242               ·   su-l
243
244               ·   gdm-fingerprint
245
246               ·   gdm-password
247
248               ·   gdm-smartcard
249
250               ·   kdm
251
252               ad_gpo_map_remote_interactive (string)
253                   A comma-separated list of PAM service names for which
254                   GPO-based access control is evaluated based on the
255                   RemoteInteractiveLogonRight and
256                   DenyRemoteInteractiveLogonRight policy settings.
257
258                   Note: Using the Group Policy Management Editor this value
259                   is called "Allow log on through Remote Desktop Services"
260                   and "Deny log on through Remote Desktop Services".
261
262                   It is possible to add another PAM service name to the
263                   default set by using “+service_name” or to explicitly
264                   remove a PAM service name from the default set by using
265                   “-service_name”. For example, in order to replace a default
266                   PAM service name for this logon right (e.g.  “sshd”) with a
267                   custom pam service name (e.g.  “my_pam_service”), you would
268                   use the following configuration:
269
270                       ad_gpo_map_remote_interactive = +my_pam_service, -sshd
271
272
273                   Default: the default set of PAM service names includes:
274
275                   ·   sshd
276
277                   ad_gpo_map_network (string)
278                       A comma-separated list of PAM service names for which
279                       GPO-based access control is evaluated based on the
280                       NetworkLogonRight and DenyNetworkLogonRight policy
281                       settings.
282
283                       Note: Using the Group Policy Management Editor this
284                       value is called "Access this computer from the network"
285                       and "Deny access to this computer from the network".
286
287                       It is possible to add another PAM service name to the
288                       default set by using “+service_name” or to explicitly
289                       remove a PAM service name from the default set by using
290                       “-service_name”. For example, in order to replace a
291                       default PAM service name for this logon right (e.g.
292                       “ftp”) with a custom pam service name (e.g.
293                       “my_pam_service”), you would use the following
294                       configuration:
295
296                           ad_gpo_map_network = +my_pam_service, -ftp
297
298
299                       Default: the default set of PAM service names includes:
300
301                       ·   ftp
302
303                       ·   samba
304
305                       ad_gpo_map_batch (string)
306                           A comma-separated list of PAM service names for
307                           which GPO-based access control is evaluated based
308                           on the BatchLogonRight and DenyBatchLogonRight
309                           policy settings.
310
311                           Note: Using the Group Policy Management Editor this
312                           value is called "Allow log on as a batch job" and
313                           "Deny log on as a batch job".
314
315                           It is possible to add another PAM service name to
316                           the default set by using “+service_name” or to
317                           explicitly remove a PAM service name from the
318                           default set by using “-service_name”. For example,
319                           in order to replace a default PAM service name for
320                           this logon right (e.g.  “crond”) with a custom pam
321                           service name (e.g.  “my_pam_service”), you would
322                           use the following configuration:
323
324                               ad_gpo_map_batch = +my_pam_service, -crond
325
326
327                           Default: the default set of PAM service names
328                           includes:
329
330                           ·   crond
331
332                           ad_gpo_map_service (string)
333                               A comma-separated list of PAM service names for
334                               which GPO-based access control is evaluated
335                               based on the ServiceLogonRight and
336                               DenyServiceLogonRight policy settings.
337
338                               Note: Using the Group Policy Management Editor
339                               this value is called "Allow log on as a
340                               service" and "Deny log on as a service".
341
342                               It is possible to add a PAM service name to the
343                               default set by using “+service_name”. Since the
344                               default set is empty, it is not possible to
345                               remove a PAM service name from the default set.
346                               For example, in order to add a custom pam
347                               service name (e.g.  “my_pam_service”), you
348                               would use the following configuration:
349
350                                   ad_gpo_map_service = +my_pam_service
351
352
353                               Default: not set
354
355                           ad_gpo_map_permit (string)
356                               A comma-separated list of PAM service names for
357                               which GPO-based access is always granted,
358                               regardless of any GPO Logon Rights.
359
360                               It is possible to add another PAM service name
361                               to the default set by using “+service_name” or
362                               to explicitly remove a PAM service name from
363                               the default set by using “-service_name”. For
364                               example, in order to replace a default PAM
365                               service name for unconditionally permitted
366                               access (e.g.  “sudo”) with a custom pam service
367                               name (e.g.  “my_pam_service”), you would use
368                               the following configuration:
369
370                                   ad_gpo_map_permit = +my_pam_service, -sudo
371
372
373                               Default: the default set of PAM service names
374                               includes:
375
376                               ·   sudo
377
378                               ·   sudo-i
379
380                               ·   systemd-user
381
382                               ad_gpo_map_deny (string)
383                                   A comma-separated list of PAM service names
384                                   for which GPO-based access is always
385                                   denied, regardless of any GPO Logon Rights.
386
387                                   It is possible to add a PAM service name to
388                                   the default set by using “+service_name”.
389                                   Since the default set is empty, it is not
390                                   possible to remove a PAM service name from
391                                   the default set. For example, in order to
392                                   add a custom pam service name (e.g.
393                                   “my_pam_service”), you would use the
394                                   following configuration:
395
396                                       ad_gpo_map_deny = +my_pam_service
397
398
399                                   Default: not set
400
401                               ad_gpo_default_right (string)
402                                   This option defines how access control is
403                                   evaluated for PAM service names that are
404                                   not explicitly listed in one of the
405                                   ad_gpo_map_* options. This option can be
406                                   set in two different manners. First, this
407                                   option can be set to use a default logon
408                                   right. For example, if this option is set
409                                   to ´interactive´, it means that unmapped
410                                   PAM service names will be processed based
411                                   on the InteractiveLogonRight and
412                                   DenyInteractiveLogonRight policy settings.
413                                   Alternatively, this option can be set to
414                                   either always permit or always deny access
415                                   for unmapped PAM service names.
416
417                                   Supported values for this option include:
418
419                                   ·   interactive
420
421                                   ·   remote_interactive
422
423                                   ·   network
424
425                                   ·   batch
426
427                                   ·   service
428
429                                   ·   permit
430
431                                   ·   deny
432
433                                       Default: deny
434
435                                   ad_maximum_machine_account_password_age
436                                   (integer)
437                                       SSSD will check once a day if the
438                                       machine account password is older than
439                                       the given age in days and try to renew
440                                       it. A value of 0 will disable the
441                                       renewal attempt.
442
443                                       Default: 30 days
444
445                                   ad_machine_account_password_renewal_opts
446                                   (string)
447                                       This option should only be used to test
448                                       the machine account renewal task. The
449                                       option expect 2 integers seperated by a
450                                       colon (´:´). The first integer defines
451                                       the interval in seconds how often the
452                                       task is run. The second specifies the
453                                       inital timeout in seconds before the
454                                       task is run for the first time after
455                                       startup.
456
457                                       Default: 86400:750 (24h and 15m)
458
459                                   dyndns_update (boolean)
460                                       Optional. This option tells SSSD to
461                                       automatically update the Active
462                                       Directory DNS server with the IP
463                                       address of this client. The update is
464                                       secured using GSS-TSIG. As a
465                                       consequence, the Active Directory
466                                       administrator only needs to allow
467                                       secure updates for the DNS zone. The IP
468                                       address of the AD LDAP connection is
469                                       used for the updates, if it is not
470                                       otherwise specified by using the
471                                       “dyndns_iface” option.
472
473                                       NOTE: On older systems (such as RHEL
474                                       5), for this behavior to work reliably,
475                                       the default Kerberos realm must be set
476                                       properly in /etc/krb5.conf
477
478                                       Default: true
479
480                                   dyndns_ttl (integer)
481                                       The TTL to apply to the client DNS
482                                       record when updating it. If
483                                       dyndns_update is false this has no
484                                       effect. This will override the TTL
485                                       serverside if set by an administrator.
486
487                                       Default: 3600 (seconds)
488
489                                   dyndns_iface (string)
490                                       Optional. Applicable only when
491                                       dyndns_update is true. Choose the
492                                       interface or a list of interfaces whose
493                                       IP addresses should be used for dynamic
494                                       DNS updates. Special value “*” implies
495                                       that IPs from all interfaces should be
496                                       used.
497
498                                       Default: Use the IP addresses of the
499                                       interface which is used for AD LDAP
500                                       connection
501
502                                       Example: dyndns_iface = em1, vnet1,
503                                       vnet2
504
505                                   dyndns_refresh_interval (integer)
506                                       How often should the back end perform
507                                       periodic DNS update in addition to the
508                                       automatic update performed when the
509                                       back end goes online. This option is
510                                       optional and applicable only when
511                                       dyndns_update is true.
512
513                                       Default: 86400 (24 hours)
514
515                                   dyndns_update_ptr (bool)
516                                       Whether the PTR record should also be
517                                       explicitly updated when updating the
518                                       client´s DNS records. Applicable only
519                                       when dyndns_update is true.
520
521                                       Default: True
522
523                                   dyndns_force_tcp (bool)
524                                       Whether the nsupdate utility should
525                                       default to using TCP for communicating
526                                       with the DNS server.
527
528                                       Default: False (let nsupdate choose the
529                                       protocol)
530
531                                   dyndns_server (string)
532                                       The DNS server to use when performing a
533                                       DNS update. In most setups, it´s
534                                       recommended to leave this option unset.
535
536                                       Setting this option makes sense for
537                                       environments where the DNS server is
538                                       different from the identity server.
539
540                                       Please note that this option will be
541                                       only used in fallback attempt when
542                                       previous attempt using autodetected
543                                       settings failed.
544
545                                       Default: None (let nsupdate choose the
546                                       server)
547
548                                   override_homedir (string)
549                                       Override the user´s home directory. You
550                                       can either provide an absolute value or
551                                       a template. In the template, the
552                                       following sequences are substituted:
553
554                                       %u
555                                           login name
556
557                                       %U
558                                           UID number
559
560                                       %d
561                                           domain name
562
563                                       %f
564                                           fully qualified user name
565                                           (user@domain)
566
567                                       %P
568                                           UPN - User Principal Name
569                                           (name@REALM)
570
571                                       %o
572                                           The original home directory
573                                           retrieved from the identity
574                                           provider.
575
576                                       %H
577                                           The value of configure option
578                                           homedir_substring.
579
580                                       %%
581                                           a literal ´%´
582
583                                       This option can also be set per-domain.
584
585                                       example:
586
587                                           override_homedir = /home/%u
588
589
590                                       Default: Not set (SSSD will use the
591                                       value retrieved from LDAP)
592
593                                   homedir_substring (string)
594                                       The value of this option will be used
595                                       in the expansion of the
596                                       override_homedir option if the template
597                                       contains the format string %H. An LDAP
598                                       directory entry can directly contain
599                                       this template so that this option can
600                                       be used to expand the home directory
601                                       path for each client machine (or
602                                       operating system). It can be set
603                                       per-domain or globally in the [nss]
604                                       section. A value specified in a domain
605                                       section will override one set in the
606                                       [nss] section.
607
608                                       Default: /home
609
610                                   krb5_use_enterprise_principal (boolean)
611                                       Specifies if the user principal should
612                                       be treated as enterprise principal. See
613                                       section 5 of RFC 6806 for more details
614                                       about enterprise principals.
615
616                                       Default: true
617
618                                       Note that this default differs from the
619                                       traditional Kerberos provider back end.
620
621                                   krb5_confd_path (string)
622                                       Absolute path of a directory where SSSD
623                                       should place Kerberos configuration
624                                       snippets.
625
626                                       To disable the creation of the
627                                       configuration snippets set the
628                                       parameter to ´none´.
629
630                                       Default: not set (krb5.include.d
631                                       subdirectory of SSSD´s pubconf
632                                       directory)
633

FAILOVER

635       The failover feature allows back ends to automatically switch to a
636       different server if the current server fails.
637
638   Failover Syntax
639       The list of servers is given as a comma-separated list; any number of
640       spaces is allowed around the comma. The servers are listed in order of
641       preference. The list can contain any number of servers.
642
643       For each failover-enabled config option, two variants exist: primary
644       and backup. The idea is that servers in the primary list are preferred
645       and backup servers are only searched if no primary servers can be
646       reached. If a backup server is selected, a timeout of 31 seconds is
647       set. After this timeout SSSD will periodically try to reconnect to one
648       of the primary servers. If it succeeds, it will replace the current
649       active (backup) server.
650
651   The Failover Mechanism
652       The failover mechanism distinguishes between a machine and a service.
653       The back end first tries to resolve the hostname of a given machine; if
654       this resolution attempt fails, the machine is considered offline. No
655       further attempts are made to connect to this machine for any other
656       service. If the resolution attempt succeeds, the back end tries to
657       connect to a service on this machine. If the service connection attempt
658       fails, then only this particular service is considered offline and the
659       back end automatically switches over to the next service. The machine
660       is still considered online and might still be tried for another
661       service.
662
663       Further connection attempts are made to machines or services marked as
664       offline after a specified period of time; this is currently hard coded
665       to 30 seconds.
666
667       If there are no more machines to try, the back end as a whole switches
668       to offline mode, and then attempts to reconnect every 30 seconds.
669

SERVICE DISCOVERY

671       The service discovery feature allows back ends to automatically find
672       the appropriate servers to connect to using a special DNS query. This
673       feature is not supported for backup servers.
674
675   Configuration
676       If no servers are specified, the back end automatically uses service
677       discovery to try to find a server. Optionally, the user may choose to
678       use both fixed server addresses and service discovery by inserting a
679       special keyword, “_srv_”, in the list of servers. The order of
680       preference is maintained. This feature is useful if, for example, the
681       user prefers to use service discovery whenever possible, and fall back
682       to a specific server when no servers can be discovered using DNS.
683
684   The domain name
685       Please refer to the “dns_discovery_domain” parameter in the
686       sssd.conf(5) manual page for more details.
687
688   The protocol
689       The queries usually specify _tcp as the protocol. Exceptions are
690       documented in respective option description.
691
692   See Also
693       For more information on the service discovery mechanism, refer to RFC
694       2782.
695

ID MAPPING

697       The ID-mapping feature allows SSSD to act as a client of Active
698       Directory without requiring administrators to extend user attributes to
699       support POSIX attributes for user and group identifiers.
700
701       NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
702       attributes are ignored. This is to avoid the possibility of conflicts
703       between automatically-assigned and manually-assigned values. If you
704       need to use manually-assigned values, ALL values must be
705       manually-assigned.
706
707       Please note that changing the ID mapping related configuration options
708       will cause user and group IDs to change. At the moment, SSSD does not
709       support changing IDs, so the SSSD database must be removed. Because
710       cached passwords are also stored in the database, removing the database
711       should only be performed while the authentication servers are
712       reachable, otherwise users might get locked out. In order to cache the
713       password, an authentication must be performed. It is not sufficient to
714       use sss_cache(8) to remove the database, rather the process consists
715       of:
716
717       ·   Making sure the remote servers are reachable
718
719       ·   Stopping the SSSD service
720
721       ·   Removing the database
722
723       ·   Starting the SSSD service
724
725       Moreover, as the change of IDs might necessitate the adjustment of
726       other system properties such as file and directory ownership, it´s
727       advisable to plan ahead and test the ID mapping configuration
728       thoroughly.
729
730   Mapping Algorithm
731       Active Directory provides an objectSID for every user and group object
732       in the directory. This objectSID can be broken up into components that
733       represent the Active Directory domain identity and the relative
734       identifier (RID) of the user or group object.
735
736       The SSSD ID-mapping algorithm takes a range of available UIDs and
737       divides it into equally-sized component sections - called "slices"-.
738       Each slice represents the space available to an Active Directory
739       domain.
740
741       When a user or group entry for a particular domain is encountered for
742       the first time, the SSSD allocates one of the available slices for that
743       domain. In order to make this slice-assignment repeatable on different
744       client machines, we select the slice based on the following algorithm:
745
746       The SID string is passed through the murmurhash3 algorithm to convert
747       it to a 32-bit hashed value. We then take the modulus of this value
748       with the total number of available slices to pick the slice.
749
750       NOTE: It is possible to encounter collisions in the hash and subsequent
751       modulus. In these situations, we will select the next available slice,
752       but it may not be possible to reproduce the same exact set of slices on
753       other machines (since the order that they are encountered will
754       determine their slice). In this situation, it is recommended to either
755       switch to using explicit POSIX attributes in Active Directory
756       (disabling ID-mapping) or configure a default domain to guarantee that
757       at least one is always consistent. See “Configuration” for details.
758
759   Configuration
760       Minimum configuration (in the “[domain/DOMAINNAME]” section):
761
762           ldap_id_mapping = True
763           ldap_schema = ad
764
765       The default configuration results in configuring 10,000 slices, each
766       capable of holding up to 200,000 IDs, starting from 10,001 and going up
767       to 2,000,100,000. This should be sufficient for most deployments.
768
769       Advanced Configuration
770           ldap_idmap_range_min (integer)
771               Specifies the lower bound of the range of POSIX IDs to use for
772               mapping Active Directory user and group SIDs.
773
774               NOTE: This option is different from “min_id” in that “min_id”
775               acts to filter the output of requests to this domain, whereas
776               this option controls the range of ID assignment. This is a
777               subtle distinction, but the good general advice would be to
778               have “min_id” be less-than or equal to “ldap_idmap_range_min”
779
780               Default: 200000
781
782           ldap_idmap_range_max (integer)
783               Specifies the upper bound of the range of POSIX IDs to use for
784               mapping Active Directory user and group SIDs.
785
786               NOTE: This option is different from “max_id” in that “max_id”
787               acts to filter the output of requests to this domain, whereas
788               this option controls the range of ID assignment. This is a
789               subtle distinction, but the good general advice would be to
790               have “max_id” be greater-than or equal to
791               “ldap_idmap_range_max”
792
793               Default: 2000200000
794
795           ldap_idmap_range_size (integer)
796               Specifies the number of IDs available for each slice. If the
797               range size does not divide evenly into the min and max values,
798               it will create as many complete slices as it can.
799
800               NOTE: The value of this option must be at least as large as the
801               highest user RID planned for use on the Active Directory
802               server. User lookups and login will fail for any user whose RID
803               is greater than this value.
804
805               For example, if your most recently-added Active Directory user
806               has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
807               “ldap_idmap_range_size” must be at least 1108 as range size is
808               equal to maximal SID minus minimal SID plus one (e.g. 1108 =
809               1107 - 0 + 1).
810
811               It is important to plan ahead for future expansion, as changing
812               this value will result in changing all of the ID mappings on
813               the system, leading to users with different local IDs than they
814               previously had.
815
816               Default: 200000
817
818           ldap_idmap_default_domain_sid (string)
819               Specify the domain SID of the default domain. This will
820               guarantee that this domain will always be assigned to slice
821               zero in the ID map, bypassing the murmurhash algorithm
822               described above.
823
824               Default: not set
825
826           ldap_idmap_default_domain (string)
827               Specify the name of the default domain.
828
829               Default: not set
830
831           ldap_idmap_autorid_compat (boolean)
832               Changes the behavior of the ID-mapping algorithm to behave more
833               similarly to winbind´s “idmap_autorid” algorithm.
834
835               When this option is configured, domains will be allocated
836               starting with slice zero and increasing monatomically with each
837               additional domain.
838
839               NOTE: This algorithm is non-deterministic (it depends on the
840               order that users and groups are requested). If this mode is
841               required for compatibility with machines running winbind, it is
842               recommended to also use the “ldap_idmap_default_domain_sid”
843               option to guarantee that at least one domain is consistently
844               allocated to slice zero.
845
846               Default: False
847
848           ldap_idmap_helper_table_size (integer)
849               Maximal number of secondary slices that is tried when
850               performing mapping from UNIX id to SID.
851
852               Note: Additional secondary slices might be generated when SID
853               is being mapped to UNIX id and RID part of SID is out of range
854               for secondary slices generated so far. If value of
855               ldap_idmap_helper_table_size is equal to 0 then no additional
856               secondary slices are generated.
857
858               Default: 10
859
860   Well-Known SIDs
861       SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
862       special hardcoded meaning. Since the generic users and groups related
863       to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
864       no POSIX IDs are available for those objects.
865
866       The SID name space is organized in authorities which can be seen as
867       different domains. The authorities for the Well-Known SIDs are
868
869       ·   Null Authority
870
871       ·   World Authority
872
873       ·   Local Authority
874
875       ·   Creator Authority
876
877       ·   NT Authority
878
879       ·   Built-in
880
881       The capitalized version of these names are used as domain names when
882       returning the fully qualified name of a Well-Known SID.
883
884       Since some utilities allow to modify SID based access control
885       information with the help of a name instead of using the SID directly
886       SSSD supports to look up the SID by the name as well. To avoid
887       collisions only the fully qualified names can be used to look up
888       Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
889       AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
890       “BUILTIN” should not be used as domain names in sssd.conf.
891

EXAMPLE

893       The following example assumes that SSSD is correctly configured and
894       example.com is one of the domains in the [sssd] section. This example
895       shows only the AD provider-specific options.
896
897           [domain/EXAMPLE]
898           id_provider = ad
899           auth_provider = ad
900           access_provider = ad
901           chpass_provider = ad
902
903           ad_server = dc1.example.com
904           ad_hostname = client.example.com
905           ad_domain = example.com
906
907

NOTES

909       The AD access control provider checks if the account is expired. It has
910       the same effect as the following configuration of the LDAP provider:
911
912           access_provider = ldap
913           ldap_access_order = expire
914           ldap_account_expire_policy = ad
915
916       However, unless the “ad” access control provider is explicitly
917       configured, the default access provider is “permit”. Please note that
918       if you configure an access provider other than “ad”, you need to set
919       all the connection parameters (such as LDAP URIs and encryption
920       details) manually.
921
922       When the autofs provider is set to “ad”, the RFC2307 schema attribute
923       mapping (nisMap, nisObject, ...) is used, because these attributes are
924       included the default Active Directory schema.
925

SEE ALSO

927       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
928       sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
929       sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
930       sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
931       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
932       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
933

AUTHORS

935       The SSSD upstream - http://fedorahosted.org/sssd
936
937
938
939SSSD                              01/15/2019                        SSSD-AD(5)
Impressum