1SSSD-AD(5)               File Formats and Conventions               SSSD-AD(5)
2
3
4

NAME

6       sssd-ad - SSSD Active Directory provider
7

DESCRIPTION

9       This manual page describes the configuration of the AD provider for
10       sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11       section of the sssd.conf(5) manual page.
12
13       The AD provider is a back end used to connect to an Active Directory
14       server. This provider requires that the machine be joined to the AD
15       domain and a keytab is available. Back end communication occurs over a
16       GSSAPI-encrypted channel, SSL/TLS options should not be used with the
17       AD provider and will be superseded by Kerberos usage.
18
19       The AD provider supports connecting to Active Directory 2008 R2 or
20       later. Earlier versions may work, but are unsupported.
21
22       The AD provider can be used to get user information and authenticate
23       users from trusted domains. Currently only trusted domains in the same
24       forest are recognized. In addition servers from trusted domains are
25       always auto-discovered.
26
27       The AD provider enables SSSD to use the sssd-ldap(5) identity provider
28       and the sssd-krb5(5) authentication provider with optimizations for
29       Active Directory environments. The AD provider accepts the same options
30       used by the sssd-ldap and sssd-krb5 providers with some exceptions.
31       However, it is neither necessary nor recommended to set these options.
32
33       The AD provider primarily copies the traditional ldap and krb5 provider
34       default options with some exceptions, the differences are listed in the
35       “MODIFIED DEFAULT OPTIONS” section.
36
37       The AD provider can also be used as an access, chpass, sudo and autofs
38       provider. No configuration of the access provider is required on the
39       client side.
40
41       If “auth_provider=ad” or “access_provider=ad” is configured in
42       sssd.conf then the id_provider must also be set to “ad”.
43
44       By default, the AD provider will map UID and GID values from the
45       objectSID parameter in Active Directory. For details on this, see the
46       “ID MAPPING” section below. If you want to disable ID mapping and
47       instead rely on POSIX attributes defined in Active Directory, you
48       should set
49
50           ldap_id_mapping = False
51
52
53       If POSIX attributes should be used, it is recommended for performance
54       reasons that the attributes are also replicated to the Global Catalog.
55       If POSIX attributes are replicated, SSSD will attempt to locate the
56       domain of a requested numerical ID with the help of the Global Catalog
57       and only search that domain. In contrast, if POSIX attributes are not
58       replicated to the Global Catalog, SSSD must search all the domains in
59       the forest sequentially. Please note that the “cache_first” option
60       might be also helpful in speeding up domainless searches. Note that if
61       only a subset of POSIX attributes is present in the Global Catalog, the
62       non-replicated attributes are currently not read from the LDAP port.
63
64       Users, groups and other entities served by SSSD are always treated as
65       case-insensitive in the AD provider for compatibility with Active
66       Directory's LDAP implementation.
67

CONFIGURATION OPTIONS

69       Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
70       for details on the configuration of an SSSD domain.
71
72       ad_domain (string)
73           Specifies the name of the Active Directory domain. This is
74           optional. If not provided, the configuration domain name is used.
75
76           For proper operation, this option should be specified as the
77           lower-case version of the long version of the Active Directory
78           domain.
79
80           The short domain name (also known as the NetBIOS or the flat name)
81           is autodetected by the SSSD.
82
83       ad_enabled_domains (string)
84           A comma-separated list of enabled Active Directory domains. If
85           provided, SSSD will ignore any domains not listed in this option.
86           If left unset, all domains from the AD forest will be available.
87
88           For proper operation, this option must be specified in all
89           lower-case and as the fully qualified domain name of the Active
90           Directory domain. For example:
91
92               ad_enabled_domains = sales.example.com, eng.example.com
93
94
95           The short domain name (also known as the NetBIOS or the flat name)
96           will be autodetected by SSSD.
97
98           Default: Not set
99
100       ad_server, ad_backup_server (string)
101           The comma-separated list of hostnames of the AD servers to which
102           SSSD should connect in order of preference. For more information on
103           failover and server redundancy, see the “FAILOVER” section.
104
105           This is optional if autodiscovery is enabled. For more information
106           on service discovery, refer to the “SERVICE DISCOVERY” section.
107
108           Note: Trusted domains will always auto-discover servers even if the
109           primary server is explicitly defined in the ad_server option.
110
111       ad_hostname (string)
112           Optional. May be set on machines where the hostname(5) does not
113           reflect the fully qualified name used in the Active Directory
114           domain to identify this host.
115
116           This field is used to determine the host principal in use in the
117           keytab. It must match the hostname for which the keytab was issued.
118
119       ad_enable_dns_sites (boolean)
120           Enables DNS sites - location based service discovery.
121
122           If true and service discovery (see Service Discovery paragraph at
123           the bottom of the man page) is enabled, the SSSD will first attempt
124           to discover the Active Directory server to connect to using the
125           Active Directory Site Discovery and fall back to the DNS SRV
126           records if no AD site is found. The DNS SRV configuration,
127           including the discovery domain, is used during site discovery as
128           well.
129
130           Default: true
131
132       ad_access_filter (string)
133           This option specifies LDAP access control filter that the user must
134           match in order to be allowed access. Please note that the
135           “access_provider” option must be explicitly set to “ad” in order
136           for this option to have an effect.
137
138           The option also supports specifying different filters per domain or
139           forest. This extended filter would consist of:
140           “KEYWORD:NAME:FILTER”. The keyword can be either “DOM”, “FOREST” or
141           missing.
142
143           If the keyword equals to “DOM” or is missing, then “NAME” specifies
144           the domain or subdomain the filter applies to. If the keyword
145           equals to “FOREST”, then the filter equals to all domains from the
146           forest specified by “NAME”.
147
148           Multiple filters can be separated with the “?”  character,
149           similarly to how search bases work.
150
151           Nested group membership must be searched for using a special OID
152           “:1.2.840.113556.1.4.1941:” in addition to the full
153           DOM:domain.example.org: syntax to ensure the parser does not
154           attempt to interpret the colon characters associated with the OID.
155           If you do not use this OID then nested group membership will not be
156           resolved. See usage example below and refer here for further
157           information about the OID: [MS-ADTS] section LDAP extensions[1]
158
159           The most specific match is always used. For example, if the option
160           specified filter for a domain the user is a member of and a global
161           filter, the per-domain filter would be applied. If there are more
162           matches with the same specification, the first one is used.
163
164           Examples:
165
166               # apply filter on domain called dom1 only:
167               dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
168
169               # apply filter on domain called dom2 only:
170               DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
171
172               # apply filter on forest called EXAMPLE.COM only:
173               FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
174
175               # apply filter for a member of a nested group in dom1:
176               DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
177
178
179           Default: Not set
180
181       ad_site (string)
182           Specify AD site to which client should try to connect. If this
183           option is not provided, the AD site will be auto-discovered.
184
185           Default: Not set
186
187       ad_enable_gc (boolean)
188           By default, the SSSD connects to the Global Catalog first to
189           retrieve users from trusted domains and uses the LDAP port to
190           retrieve group memberships or as a fallback. Disabling this option
191           makes the SSSD only connect to the LDAP port of the current AD
192           server.
193
194           Please note that disabling Global Catalog support does not disable
195           retrieving users from trusted domains. The SSSD would connect to
196           the LDAP port of trusted domains instead. However, Global Catalog
197           must be used in order to resolve cross-domain group memberships.
198
199           Default: true
200
201       ad_gpo_access_control (string)
202           This option specifies the operation mode for GPO-based access
203           control functionality: whether it operates in disabled mode,
204           enforcing mode, or permissive mode. Please note that the
205           “access_provider” option must be explicitly set to “ad” in order
206           for this option to have an effect.
207
208           GPO-based access control functionality uses GPO policy settings to
209           determine whether or not a particular user is allowed to logon to a
210           particular host.
211
212           NOTE: The current version of SSSD does not support host (computer)
213           entries in the GPO 'Security Filtering' list. Only user and group
214           entries are supported. Host entries in the list have no effect.
215
216           NOTE: If the operation mode is set to enforcing, it is possible
217           that users that were previously allowed logon access will now be
218           denied logon access (as dictated by the GPO policy settings). In
219           order to facilitate a smooth transition for administrators, a
220           permissive mode is available that will not enforce the access
221           control rules, but will evaluate them and will output a syslog
222           message if access would have been denied. By examining the logs,
223           administrators can then make the necessary changes before setting
224           the mode to enforcing.
225
226           There are three supported values for this option:
227
228           ·   disabled: GPO-based access control rules are neither evaluated
229               nor enforced.
230
231           ·   enforcing: GPO-based access control rules are evaluated and
232               enforced.
233
234           ·   permissive: GPO-based access control rules are evaluated, but
235               not enforced. Instead, a syslog message will be emitted
236               indicating that the user would have been denied access if this
237               option's value were set to enforcing.
238
239           Default: enforcing
240
241       ad_gpo_implicit_deny (boolean)
242           Normally when no applicable GPOs are found the users are allowed
243           access. When this option is set to True users will be allowed
244           access only when explicitly allowed by a GPO rule. Otherwise users
245           will be denied access. This can be used to harden security but be
246           careful when using this option because it can deny access even to
247           users in the built-in Administrators group if no GPO rules apply to
248           them.
249
250           Default: False
251
252       ad_gpo_ignore_unreadable (boolean)
253           Normally when some group policy containers (AD object) of
254           applicable group policy objects are not readable by SSSD then users
255           are denied access. This option allows to ignore group policy
256           containers and with them associated policies if their attributes in
257           group policy containers are not readable for SSSD.
258
259           Default: False
260
261       ad_gpo_cache_timeout (integer)
262           The amount of time between lookups of GPO policy files against the
263           AD server. This will reduce the latency and load on the AD server
264           if there are many access-control requests made in a short period.
265
266           Default: 5 (seconds)
267
268       ad_gpo_map_interactive (string)
269           A comma-separated list of PAM service names for which GPO-based
270           access control is evaluated based on the InteractiveLogonRight and
271           DenyInteractiveLogonRight policy settings.
272
273           Note: Using the Group Policy Management Editor this value is called
274           "Allow log on locally" and "Deny log on locally".
275
276           It is possible to add another PAM service name to the default set
277           by using “+service_name” or to explicitly remove a PAM service name
278           from the default set by using “-service_name”. For example, in
279           order to replace a default PAM service name for this logon right
280           (e.g.  “login”) with a custom pam service name (e.g.
281           “my_pam_service”), you would use the following configuration:
282
283               ad_gpo_map_interactive = +my_pam_service, -login
284
285
286           Default: the default set of PAM service names includes:
287
288           ·   login
289
290           ·   su
291
292           ·   su-l
293
294           ·   gdm-fingerprint
295
296           ·   gdm-password
297
298           ·   gdm-smartcard
299
300           ·   kdm
301
302           ·   lightdm
303
304           ·   lxdm
305
306           ·   sddm
307
308           ·   unity
309
310           ·   xdm
311
312
313       ad_gpo_map_remote_interactive (string)
314           A comma-separated list of PAM service names for which GPO-based
315           access control is evaluated based on the
316           RemoteInteractiveLogonRight and DenyRemoteInteractiveLogonRight
317           policy settings.
318
319           Note: Using the Group Policy Management Editor this value is called
320           "Allow log on through Remote Desktop Services" and "Deny log on
321           through Remote Desktop Services".
322
323           It is possible to add another PAM service name to the default set
324           by using “+service_name” or to explicitly remove a PAM service name
325           from the default set by using “-service_name”. For example, in
326           order to replace a default PAM service name for this logon right
327           (e.g.  “sshd”) with a custom pam service name (e.g.
328           “my_pam_service”), you would use the following configuration:
329
330               ad_gpo_map_remote_interactive = +my_pam_service, -sshd
331
332
333           Default: the default set of PAM service names includes:
334
335           ·   sshd
336
337           ·   cockpit
338
339
340       ad_gpo_map_network (string)
341           A comma-separated list of PAM service names for which GPO-based
342           access control is evaluated based on the NetworkLogonRight and
343           DenyNetworkLogonRight policy settings.
344
345           Note: Using the Group Policy Management Editor this value is called
346           "Access this computer from the network" and "Deny access to this
347           computer from the network".
348
349           It is possible to add another PAM service name to the default set
350           by using “+service_name” or to explicitly remove a PAM service name
351           from the default set by using “-service_name”. For example, in
352           order to replace a default PAM service name for this logon right
353           (e.g.  “ftp”) with a custom pam service name (e.g.
354           “my_pam_service”), you would use the following configuration:
355
356               ad_gpo_map_network = +my_pam_service, -ftp
357
358
359           Default: the default set of PAM service names includes:
360
361           ·   ftp
362
363           ·   samba
364
365
366       ad_gpo_map_batch (string)
367           A comma-separated list of PAM service names for which GPO-based
368           access control is evaluated based on the BatchLogonRight and
369           DenyBatchLogonRight policy settings.
370
371           Note: Using the Group Policy Management Editor this value is called
372           "Allow log on as a batch job" and "Deny log on as a batch job".
373
374           It is possible to add another PAM service name to the default set
375           by using “+service_name” or to explicitly remove a PAM service name
376           from the default set by using “-service_name”. For example, in
377           order to replace a default PAM service name for this logon right
378           (e.g.  “crond”) with a custom pam service name (e.g.
379           “my_pam_service”), you would use the following configuration:
380
381               ad_gpo_map_batch = +my_pam_service, -crond
382
383
384           Note: Cron service name may differ depending on Linux distribution
385           used.
386
387           Default: the default set of PAM service names includes:
388
389           ·   crond
390
391
392       ad_gpo_map_service (string)
393           A comma-separated list of PAM service names for which GPO-based
394           access control is evaluated based on the ServiceLogonRight and
395           DenyServiceLogonRight policy settings.
396
397           Note: Using the Group Policy Management Editor this value is called
398           "Allow log on as a service" and "Deny log on as a service".
399
400           It is possible to add a PAM service name to the default set by
401           using “+service_name”. Since the default set is empty, it is not
402           possible to remove a PAM service name from the default set. For
403           example, in order to add a custom pam service name (e.g.
404           “my_pam_service”), you would use the following configuration:
405
406               ad_gpo_map_service = +my_pam_service
407
408
409           Default: not set
410
411       ad_gpo_map_permit (string)
412           A comma-separated list of PAM service names for which GPO-based
413           access is always granted, regardless of any GPO Logon Rights.
414
415           It is possible to add another PAM service name to the default set
416           by using “+service_name” or to explicitly remove a PAM service name
417           from the default set by using “-service_name”. For example, in
418           order to replace a default PAM service name for unconditionally
419           permitted access (e.g.  “sudo”) with a custom pam service name
420           (e.g.  “my_pam_service”), you would use the following
421           configuration:
422
423               ad_gpo_map_permit = +my_pam_service, -sudo
424
425
426           Default: the default set of PAM service names includes:
427
428           ·   polkit-1
429
430           ·   sudo
431
432           ·   sudo-i
433
434           ·   systemd-user
435
436
437       ad_gpo_map_deny (string)
438           A comma-separated list of PAM service names for which GPO-based
439           access is always denied, regardless of any GPO Logon Rights.
440
441           It is possible to add a PAM service name to the default set by
442           using “+service_name”. Since the default set is empty, it is not
443           possible to remove a PAM service name from the default set. For
444           example, in order to add a custom pam service name (e.g.
445           “my_pam_service”), you would use the following configuration:
446
447               ad_gpo_map_deny = +my_pam_service
448
449
450           Default: not set
451
452       ad_gpo_default_right (string)
453           This option defines how access control is evaluated for PAM service
454           names that are not explicitly listed in one of the ad_gpo_map_*
455           options. This option can be set in two different manners. First,
456           this option can be set to use a default logon right. For example,
457           if this option is set to 'interactive', it means that unmapped PAM
458           service names will be processed based on the InteractiveLogonRight
459           and DenyInteractiveLogonRight policy settings. Alternatively, this
460           option can be set to either always permit or always deny access for
461           unmapped PAM service names.
462
463           Supported values for this option include:
464
465           ·   interactive
466
467           ·   remote_interactive
468
469           ·   network
470
471           ·   batch
472
473           ·   service
474
475           ·   permit
476
477           ·   deny
478
479           Default: deny
480
481       ad_maximum_machine_account_password_age (integer)
482           SSSD will check once a day if the machine account password is older
483           than the given age in days and try to renew it. A value of 0 will
484           disable the renewal attempt.
485
486           Default: 30 days
487
488       ad_machine_account_password_renewal_opts (string)
489           This option should only be used to test the machine account renewal
490           task. The option expects 2 integers separated by a colon (':'). The
491           first integer defines the interval in seconds how often the task is
492           run. The second specifies the initial timeout in seconds before the
493           task is run for the first time after startup.
494
495           Default: 86400:750 (24h and 15m)
496
497       dyndns_update (boolean)
498           Optional. This option tells SSSD to automatically update the Active
499           Directory DNS server with the IP address of this client. The update
500           is secured using GSS-TSIG. As a consequence, the Active Directory
501           administrator only needs to allow secure updates for the DNS zone.
502           The IP address of the AD LDAP connection is used for the updates,
503           if it is not otherwise specified by using the “dyndns_iface”
504           option.
505
506           NOTE: On older systems (such as RHEL 5), for this behavior to work
507           reliably, the default Kerberos realm must be set properly in
508           /etc/krb5.conf
509
510           Default: true
511
512       dyndns_ttl (integer)
513           The TTL to apply to the client DNS record when updating it. If
514           dyndns_update is false this has no effect. This will override the
515           TTL serverside if set by an administrator.
516
517           Default: 3600 (seconds)
518
519       dyndns_iface (string)
520           Optional. Applicable only when dyndns_update is true. Choose the
521           interface or a list of interfaces whose IP addresses should be used
522           for dynamic DNS updates. Special value “*” implies that IPs from
523           all interfaces should be used.
524
525           Default: Use the IP addresses of the interface which is used for AD
526           LDAP connection
527
528           Example: dyndns_iface = em1, vnet1, vnet2
529
530       dyndns_refresh_interval (integer)
531           How often should the back end perform periodic DNS update in
532           addition to the automatic update performed when the back end goes
533           online. This option is optional and applicable only when
534           dyndns_update is true. Note that the lowest possible value is 60
535           seconds in-case if value is provided less than 60, parameter will
536           assume lowest value only.
537
538           Default: 86400 (24 hours)
539
540       dyndns_update_ptr (bool)
541           Whether the PTR record should also be explicitly updated when
542           updating the client's DNS records. Applicable only when
543           dyndns_update is true.
544
545           Default: True
546
547       dyndns_force_tcp (bool)
548           Whether the nsupdate utility should default to using TCP for
549           communicating with the DNS server.
550
551           Default: False (let nsupdate choose the protocol)
552
553       dyndns_auth (string)
554           Whether the nsupdate utility should use GSS-TSIG authentication for
555           secure updates with the DNS server, insecure updates can be sent by
556           setting this option to 'none'.
557
558           Default: GSS-TSIG
559
560       dyndns_server (string)
561           The DNS server to use when performing a DNS update. In most setups,
562           it's recommended to leave this option unset.
563
564           Setting this option makes sense for environments where the DNS
565           server is different from the identity server.
566
567           Please note that this option will be only used in fallback attempt
568           when previous attempt using autodetected settings failed.
569
570           Default: None (let nsupdate choose the server)
571
572       dyndns_update_per_family (boolean)
573           DNS update is by default performed in two steps - IPv4 update and
574           then IPv6 update. In some cases it might be desirable to perform
575           IPv4 and IPv6 update in single step.
576
577           Default: true
578
579       override_homedir (string)
580           Override the user's home directory. You can either provide an
581           absolute value or a template. In the template, the following
582           sequences are substituted:
583
584           %u
585               login name
586
587           %U
588               UID number
589
590           %d
591               domain name
592
593           %f
594               fully qualified user name (user@domain)
595
596           %l
597               The first letter of the login name.
598
599           %P
600               UPN - User Principal Name (name@REALM)
601
602           %o
603               The original home directory retrieved from the identity
604               provider.
605
606           %H
607               The value of configure option homedir_substring.
608
609           %%
610               a literal '%'
611
612           This option can also be set per-domain.
613
614           example:
615
616               override_homedir = /home/%u
617
618
619           Default: Not set (SSSD will use the value retrieved from LDAP)
620
621       homedir_substring (string)
622           The value of this option will be used in the expansion of the
623           override_homedir option if the template contains the format string
624           %H. An LDAP directory entry can directly contain this template so
625           that this option can be used to expand the home directory path for
626           each client machine (or operating system). It can be set per-domain
627           or globally in the [nss] section. A value specified in a domain
628           section will override one set in the [nss] section.
629
630           Default: /home
631
632       krb5_confd_path (string)
633           Absolute path of a directory where SSSD should place Kerberos
634           configuration snippets.
635
636           To disable the creation of the configuration snippets set the
637           parameter to 'none'.
638
639           Default: not set (krb5.include.d subdirectory of SSSD's pubconf
640           directory)
641

MODIFIED DEFAULT OPTIONS

643       Certain option defaults do not match their respective backend provider
644       defaults, these option names and AD provider-specific defaults are
645       listed below:
646
647   KRB5 Provider
648       ·   krb5_validate = true
649
650       ·   krb5_use_enterprise_principal = true
651
652   LDAP Provider
653       ·   ldap_schema = ad
654
655       ·   ldap_force_upper_case_realm = true
656
657       ·   ldap_id_mapping = true
658
659       ·   ldap_sasl_mech = gssapi
660
661       ·   ldap_referrals = false
662
663       ·   ldap_account_expire_policy = ad
664
665       ·   ldap_use_tokengroups = true
666
667       ·   ldap_sasl_authid = sAMAccountName@REALM (typically
668           SHORTNAME$@REALM)
669
670           The AD provider looks for a different principal than the LDAP
671           provider by default, because in an Active Directory environment the
672           principals are divided into two groups - User Principals and
673           Service Principals. Only User Principal can be used to obtain a TGT
674           and by default, computer object's principal is constructed from its
675           sAMAccountName and the AD realm. The well-known host/hostname@REALM
676           principal is a Service Principal and thus cannot be used to get a
677           TGT with.
678
679   NSS configuration
680       ·   fallback_homedir = /home/%d/%u
681
682           The AD provider automatically sets "fallback_homedir = /home/%d/%u"
683           to provide personal home directories for users without the
684           homeDirectory attribute. If your AD Domain is properly populated
685           with Posix attributes, and you want to avoid this fallback
686           behavior, you can explicitly set "fallback_homedir = %o".
687

FAILOVER

689       The failover feature allows back ends to automatically switch to a
690       different server if the current server fails.
691
692   Failover Syntax
693       The list of servers is given as a comma-separated list; any number of
694       spaces is allowed around the comma. The servers are listed in order of
695       preference. The list can contain any number of servers.
696
697       For each failover-enabled config option, two variants exist: primary
698       and backup. The idea is that servers in the primary list are preferred
699       and backup servers are only searched if no primary servers can be
700       reached. If a backup server is selected, a timeout of 31 seconds is
701       set. After this timeout SSSD will periodically try to reconnect to one
702       of the primary servers. If it succeeds, it will replace the current
703       active (backup) server.
704
705   The Failover Mechanism
706       The failover mechanism distinguishes between a machine and a service.
707       The back end first tries to resolve the hostname of a given machine; if
708       this resolution attempt fails, the machine is considered offline. No
709       further attempts are made to connect to this machine for any other
710       service. If the resolution attempt succeeds, the back end tries to
711       connect to a service on this machine. If the service connection attempt
712       fails, then only this particular service is considered offline and the
713       back end automatically switches over to the next service. The machine
714       is still considered online and might still be tried for another
715       service.
716
717       Further connection attempts are made to machines or services marked as
718       offline after a specified period of time; this is currently hard coded
719       to 30 seconds.
720
721       If there are no more machines to try, the back end as a whole switches
722       to offline mode, and then attempts to reconnect every 30 seconds.
723
724   Failover time outs and tuning
725       Resolving a server to connect to can be as simple as running a single
726       DNS query or can involve several steps, such as finding the correct
727       site or trying out multiple host names in case some of the configured
728       servers are not reachable. The more complex scenarios can take some
729       time and SSSD needs to balance between providing enough time to finish
730       the resolution process but on the other hand, not trying for too long
731       before falling back to offline mode. If the SSSD debug logs show that
732       the server resolution is timing out before a live server is contacted,
733       you can consider changing the time outs.
734
735       This section lists the available tunables. Please refer to their
736       description in the sssd.conf(5), manual page.
737
738       dns_resolver_op_timeout
739           How long would SSSD talk to a single DNS server.
740
741       dns_resolver_timeout
742           How long would SSSD try to resolve a failover service. This service
743           resolution internally might include several steps, such as
744           resolving DNS SRV queries or locating the site.
745
746       For LDAP-based providers, the resolve operation is performed as part of
747       an LDAP connection operation. Therefore, also the “ldap_opt_timeout>”
748       timeout should be set to a larger value than “dns_resolver_timeout”
749       which in turn should be set to a larger value than
750       “dns_resolver_op_timeout”.
751

SERVICE DISCOVERY

753       The service discovery feature allows back ends to automatically find
754       the appropriate servers to connect to using a special DNS query. This
755       feature is not supported for backup servers.
756
757   Configuration
758       If no servers are specified, the back end automatically uses service
759       discovery to try to find a server. Optionally, the user may choose to
760       use both fixed server addresses and service discovery by inserting a
761       special keyword, “_srv_”, in the list of servers. The order of
762       preference is maintained. This feature is useful if, for example, the
763       user prefers to use service discovery whenever possible, and fall back
764       to a specific server when no servers can be discovered using DNS.
765
766   The domain name
767       Please refer to the “dns_discovery_domain” parameter in the
768       sssd.conf(5) manual page for more details.
769
770   The protocol
771       The queries usually specify _tcp as the protocol. Exceptions are
772       documented in respective option description.
773
774   See Also
775       For more information on the service discovery mechanism, refer to RFC
776       2782.
777

ID MAPPING

779       The ID-mapping feature allows SSSD to act as a client of Active
780       Directory without requiring administrators to extend user attributes to
781       support POSIX attributes for user and group identifiers.
782
783       NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
784       attributes are ignored. This is to avoid the possibility of conflicts
785       between automatically-assigned and manually-assigned values. If you
786       need to use manually-assigned values, ALL values must be
787       manually-assigned.
788
789       Please note that changing the ID mapping related configuration options
790       will cause user and group IDs to change. At the moment, SSSD does not
791       support changing IDs, so the SSSD database must be removed. Because
792       cached passwords are also stored in the database, removing the database
793       should only be performed while the authentication servers are
794       reachable, otherwise users might get locked out. In order to cache the
795       password, an authentication must be performed. It is not sufficient to
796       use sss_cache(8) to remove the database, rather the process consists
797       of:
798
799       ·   Making sure the remote servers are reachable
800
801       ·   Stopping the SSSD service
802
803       ·   Removing the database
804
805       ·   Starting the SSSD service
806
807       Moreover, as the change of IDs might necessitate the adjustment of
808       other system properties such as file and directory ownership, it's
809       advisable to plan ahead and test the ID mapping configuration
810       thoroughly.
811
812   Mapping Algorithm
813       Active Directory provides an objectSID for every user and group object
814       in the directory. This objectSID can be broken up into components that
815       represent the Active Directory domain identity and the relative
816       identifier (RID) of the user or group object.
817
818       The SSSD ID-mapping algorithm takes a range of available UIDs and
819       divides it into equally-sized component sections - called "slices"-.
820       Each slice represents the space available to an Active Directory
821       domain.
822
823       When a user or group entry for a particular domain is encountered for
824       the first time, the SSSD allocates one of the available slices for that
825       domain. In order to make this slice-assignment repeatable on different
826       client machines, we select the slice based on the following algorithm:
827
828       The SID string is passed through the murmurhash3 algorithm to convert
829       it to a 32-bit hashed value. We then take the modulus of this value
830       with the total number of available slices to pick the slice.
831
832       NOTE: It is possible to encounter collisions in the hash and subsequent
833       modulus. In these situations, we will select the next available slice,
834       but it may not be possible to reproduce the same exact set of slices on
835       other machines (since the order that they are encountered will
836       determine their slice). In this situation, it is recommended to either
837       switch to using explicit POSIX attributes in Active Directory
838       (disabling ID-mapping) or configure a default domain to guarantee that
839       at least one is always consistent. See “Configuration” for details.
840
841   Configuration
842       Minimum configuration (in the “[domain/DOMAINNAME]” section):
843
844           ldap_id_mapping = True
845           ldap_schema = ad
846
847       The default configuration results in configuring 10,000 slices, each
848       capable of holding up to 200,000 IDs, starting from 200,000 and going
849       up to 2,000,200,000. This should be sufficient for most deployments.
850
851       Advanced Configuration
852           ldap_idmap_range_min (integer)
853               Specifies the lower bound of the range of POSIX IDs to use for
854               mapping Active Directory user and group SIDs.
855
856               NOTE: This option is different from “min_id” in that “min_id”
857               acts to filter the output of requests to this domain, whereas
858               this option controls the range of ID assignment. This is a
859               subtle distinction, but the good general advice would be to
860               have “min_id” be less-than or equal to “ldap_idmap_range_min”
861
862               Default: 200000
863
864           ldap_idmap_range_max (integer)
865               Specifies the upper bound of the range of POSIX IDs to use for
866               mapping Active Directory user and group SIDs.
867
868               NOTE: This option is different from “max_id” in that “max_id”
869               acts to filter the output of requests to this domain, whereas
870               this option controls the range of ID assignment. This is a
871               subtle distinction, but the good general advice would be to
872               have “max_id” be greater-than or equal to
873               “ldap_idmap_range_max”
874
875               Default: 2000200000
876
877           ldap_idmap_range_size (integer)
878               Specifies the number of IDs available for each slice. If the
879               range size does not divide evenly into the min and max values,
880               it will create as many complete slices as it can.
881
882               NOTE: The value of this option must be at least as large as the
883               highest user RID planned for use on the Active Directory
884               server. User lookups and login will fail for any user whose RID
885               is greater than this value.
886
887               For example, if your most recently-added Active Directory user
888               has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
889               “ldap_idmap_range_size” must be at least 1108 as range size is
890               equal to maximal SID minus minimal SID plus one (e.g. 1108 =
891               1107 - 0 + 1).
892
893               It is important to plan ahead for future expansion, as changing
894               this value will result in changing all of the ID mappings on
895               the system, leading to users with different local IDs than they
896               previously had.
897
898               Default: 200000
899
900           ldap_idmap_default_domain_sid (string)
901               Specify the domain SID of the default domain. This will
902               guarantee that this domain will always be assigned to slice
903               zero in the ID map, bypassing the murmurhash algorithm
904               described above.
905
906               Default: not set
907
908           ldap_idmap_default_domain (string)
909               Specify the name of the default domain.
910
911               Default: not set
912
913           ldap_idmap_autorid_compat (boolean)
914               Changes the behavior of the ID-mapping algorithm to behave more
915               similarly to winbind's “idmap_autorid” algorithm.
916
917               When this option is configured, domains will be allocated
918               starting with slice zero and increasing monatomically with each
919               additional domain.
920
921               NOTE: This algorithm is non-deterministic (it depends on the
922               order that users and groups are requested). If this mode is
923               required for compatibility with machines running winbind, it is
924               recommended to also use the “ldap_idmap_default_domain_sid”
925               option to guarantee that at least one domain is consistently
926               allocated to slice zero.
927
928               Default: False
929
930           ldap_idmap_helper_table_size (integer)
931               Maximal number of secondary slices that is tried when
932               performing mapping from UNIX id to SID.
933
934               Note: Additional secondary slices might be generated when SID
935               is being mapped to UNIX id and RID part of SID is out of range
936               for secondary slices generated so far. If value of
937               ldap_idmap_helper_table_size is equal to 0 then no additional
938               secondary slices are generated.
939
940               Default: 10
941
942   Well-Known SIDs
943       SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
944       special hardcoded meaning. Since the generic users and groups related
945       to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
946       no POSIX IDs are available for those objects.
947
948       The SID name space is organized in authorities which can be seen as
949       different domains. The authorities for the Well-Known SIDs are
950
951       ·   Null Authority
952
953       ·   World Authority
954
955       ·   Local Authority
956
957       ·   Creator Authority
958
959       ·   NT Authority
960
961       ·   Built-in
962
963       The capitalized version of these names are used as domain names when
964       returning the fully qualified name of a Well-Known SID.
965
966       Since some utilities allow to modify SID based access control
967       information with the help of a name instead of using the SID directly
968       SSSD supports to look up the SID by the name as well. To avoid
969       collisions only the fully qualified names can be used to look up
970       Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
971       AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
972       “BUILTIN” should not be used as domain names in sssd.conf.
973

EXAMPLE

975       The following example assumes that SSSD is correctly configured and
976       example.com is one of the domains in the [sssd] section. This example
977       shows only the AD provider-specific options.
978
979           [domain/EXAMPLE]
980           id_provider = ad
981           auth_provider = ad
982           access_provider = ad
983           chpass_provider = ad
984
985           ad_server = dc1.example.com
986           ad_hostname = client.example.com
987           ad_domain = example.com
988
989

NOTES

991       The AD access control provider checks if the account is expired. It has
992       the same effect as the following configuration of the LDAP provider:
993
994           access_provider = ldap
995           ldap_access_order = expire
996           ldap_account_expire_policy = ad
997
998       However, unless the “ad” access control provider is explicitly
999       configured, the default access provider is “permit”. Please note that
1000       if you configure an access provider other than “ad”, you need to set
1001       all the connection parameters (such as LDAP URIs and encryption
1002       details) manually.
1003
1004       When the autofs provider is set to “ad”, the RFC2307 schema attribute
1005       mapping (nisMap, nisObject, ...) is used, because these attributes are
1006       included in the default Active Directory schema.
1007

SEE ALSO

1009       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1010       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
1011       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
1012       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1013       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
1014       sssd-systemtap(5)
1015

AUTHORS

1017       The SSSD upstream - https://pagure.io/SSSD/sssd/
1018

NOTES

1020        1. [MS-ADTS] section LDAP extensions
1021           https://msdn.microsoft.com/en-us/library/cc223367.aspx
1022
1023
1024
1025SSSD                              03/28/2019                        SSSD-AD(5)
Impressum