1SSSD-AD(5) File Formats and Conventions SSSD-AD(5)
2
3
4
6 sssd-ad - SSSD Active Directory provider
7
9 This manual page describes the configuration of the AD provider for
10 sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT”
11 section of the sssd.conf(5) manual page.
12
13 The AD provider is a back end used to connect to an Active Directory
14 server. This provider requires that the machine be joined to the AD
15 domain and a keytab is available. Back end communication occurs over a
16 GSSAPI-encrypted channel, SSL/TLS options should not be used with the
17 AD provider and will be superseded by Kerberos usage.
18
19 The AD provider supports connecting to Active Directory 2008 R2 or
20 later. Earlier versions may work, but are unsupported.
21
22 The AD provider can be used to get user information and authenticate
23 users from trusted domains. Currently only trusted domains in the same
24 forest are recognized. In addition servers from trusted domains are
25 always auto-discovered.
26
27 The AD provider enables SSSD to use the sssd-ldap(5) identity provider
28 and the sssd-krb5(5) authentication provider with optimizations for
29 Active Directory environments. The AD provider accepts the same options
30 used by the sssd-ldap and sssd-krb5 providers with some exceptions.
31 However, it is neither necessary nor recommended to set these options.
32
33 The AD provider primarily copies the traditional ldap and krb5 provider
34 default options with some exceptions, the differences are listed in the
35 “MODIFIED DEFAULT OPTIONS” section.
36
37 The AD provider can also be used as an access, chpass, sudo and autofs
38 provider. No configuration of the access provider is required on the
39 client side.
40
41 If “auth_provider=ad” or “access_provider=ad” is configured in
42 sssd.conf then the id_provider must also be set to “ad”.
43
44 By default, the AD provider will map UID and GID values from the
45 objectSID parameter in Active Directory. For details on this, see the
46 “ID MAPPING” section below. If you want to disable ID mapping and
47 instead rely on POSIX attributes defined in Active Directory, you
48 should set
49
50 ldap_id_mapping = False
51
52
53 If POSIX attributes should be used, it is recommended for performance
54 reasons that the attributes are also replicated to the Global Catalog.
55 If POSIX attributes are replicated, SSSD will attempt to locate the
56 domain of a requested numerical ID with the help of the Global Catalog
57 and only search that domain. In contrast, if POSIX attributes are not
58 replicated to the Global Catalog, SSSD must search all the domains in
59 the forest sequentially. Please note that the “cache_first” option
60 might be also helpful in speeding up domainless searches. Note that if
61 only a subset of POSIX attributes is present in the Global Catalog, the
62 non-replicated attributes are currently not read from the LDAP port.
63
64 Users, groups and other entities served by SSSD are always treated as
65 case-insensitive in the AD provider for compatibility with Active
66 Directory's LDAP implementation.
67
69 Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page
70 for details on the configuration of an SSSD domain.
71
72 ad_domain (string)
73 Specifies the name of the Active Directory domain. This is
74 optional. If not provided, the configuration domain name is used.
75
76 For proper operation, this option should be specified as the
77 lower-case version of the long version of the Active Directory
78 domain.
79
80 The short domain name (also known as the NetBIOS or the flat name)
81 is autodetected by the SSSD.
82
83 ad_enabled_domains (string)
84 A comma-separated list of enabled Active Directory domains. If
85 provided, SSSD will ignore any domains not listed in this option.
86 If left unset, all domains from the AD forest will be available.
87
88 For proper operation, this option must be specified in all
89 lower-case and as the fully qualified domain name of the Active
90 Directory domain. For example:
91
92 ad_enabled_domains = sales.example.com, eng.example.com
93
94
95 The short domain name (also known as the NetBIOS or the flat name)
96 will be autodetected by SSSD.
97
98 Default: Not set
99
100 ad_server, ad_backup_server (string)
101 The comma-separated list of hostnames of the AD servers to which
102 SSSD should connect in order of preference. For more information on
103 failover and server redundancy, see the “FAILOVER” section.
104
105 This is optional if autodiscovery is enabled. For more information
106 on service discovery, refer to the “SERVICE DISCOVERY” section.
107
108 Note: Trusted domains will always auto-discover servers even if the
109 primary server is explicitly defined in the ad_server option.
110
111 ad_hostname (string)
112 Optional. On machines where the hostname(5) does not reflect the
113 fully qualified name, sssd will try to expand the short name. If it
114 is not possible or the short name should be really used instead,
115 set this parameter explicitly.
116
117 This field is used to determine the host principal in use in the
118 keytab and to perform dynamic DNS updates. It must match the
119 hostname for which the keytab was issued.
120
121 ad_enable_dns_sites (boolean)
122 Enables DNS sites - location based service discovery.
123
124 If true and service discovery (see Service Discovery paragraph at
125 the bottom of the man page) is enabled, the SSSD will first attempt
126 to discover the Active Directory server to connect to using the
127 Active Directory Site Discovery and fall back to the DNS SRV
128 records if no AD site is found. The DNS SRV configuration,
129 including the discovery domain, is used during site discovery as
130 well.
131
132 Default: true
133
134 ad_access_filter (string)
135 This option specifies LDAP access control filter that the user must
136 match in order to be allowed access. Please note that the
137 “access_provider” option must be explicitly set to “ad” in order
138 for this option to have an effect.
139
140 The option also supports specifying different filters per domain or
141 forest. This extended filter would consist of:
142 “KEYWORD:NAME:FILTER”. The keyword can be either “DOM”, “FOREST” or
143 missing.
144
145 If the keyword equals to “DOM” or is missing, then “NAME” specifies
146 the domain or subdomain the filter applies to. If the keyword
147 equals to “FOREST”, then the filter equals to all domains from the
148 forest specified by “NAME”.
149
150 Multiple filters can be separated with the “?” character,
151 similarly to how search bases work.
152
153 Nested group membership must be searched for using a special OID
154 “:1.2.840.113556.1.4.1941:” in addition to the full
155 DOM:domain.example.org: syntax to ensure the parser does not
156 attempt to interpret the colon characters associated with the OID.
157 If you do not use this OID then nested group membership will not be
158 resolved. See usage example below and refer here for further
159 information about the OID: [MS-ADTS] section LDAP extensions[1]
160
161 The most specific match is always used. For example, if the option
162 specified filter for a domain the user is a member of and a global
163 filter, the per-domain filter would be applied. If there are more
164 matches with the same specification, the first one is used.
165
166 Examples:
167
168 # apply filter on domain called dom1 only:
169 dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
170
171 # apply filter on domain called dom2 only:
172 DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
173
174 # apply filter on forest called EXAMPLE.COM only:
175 FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
176
177 # apply filter for a member of a nested group in dom1:
178 DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
179
180
181 Default: Not set
182
183 ad_site (string)
184 Specify AD site to which client should try to connect. If this
185 option is not provided, the AD site will be auto-discovered.
186
187 Default: Not set
188
189 ad_enable_gc (boolean)
190 By default, the SSSD connects to the Global Catalog first to
191 retrieve users from trusted domains and uses the LDAP port to
192 retrieve group memberships or as a fallback. Disabling this option
193 makes the SSSD only connect to the LDAP port of the current AD
194 server.
195
196 Please note that disabling Global Catalog support does not disable
197 retrieving users from trusted domains. The SSSD would connect to
198 the LDAP port of trusted domains instead. However, Global Catalog
199 must be used in order to resolve cross-domain group memberships.
200
201 Default: true
202
203 ad_gpo_access_control (string)
204 This option specifies the operation mode for GPO-based access
205 control functionality: whether it operates in disabled mode,
206 enforcing mode, or permissive mode. Please note that the
207 “access_provider” option must be explicitly set to “ad” in order
208 for this option to have an effect.
209
210 GPO-based access control functionality uses GPO policy settings to
211 determine whether or not a particular user is allowed to logon to
212 the host. For more information on the supported policy settings
213 please refer to the “ad_gpo_map” options.
214
215 Please note that current version of SSSD does not support Active
216 Directory's built-in groups. Built-in groups (such as
217 Administrators with SID S-1-5-32-544) in GPO access control rules
218 will be ignored by SSSD. See upstream issue tracker
219 https://github.com/SSSD/sssd/issues/5063 .
220
221 Before performing access control SSSD applies group policy security
222 filtering on the GPOs. For every single user login, the
223 applicability of the GPOs that are linked to the host is checked.
224 In order for a GPO to apply to a user, the user or at least one of
225 the groups to which it belongs must have following permissions on
226 the GPO:
227
228 · Read: The user or one of its groups must have read access to
229 the properties of the GPO (RIGHT_DS_READ_PROPERTY)
230
231 · Apply Group Policy: The user or at least one of its groups must
232 be allowed to apply the GPO (RIGHT_DS_CONTROL_ACCESS).
233
234 By default, the Authenticated Users group is present on a GPO and
235 this group has both Read and Apply Group Policy access rights.
236 Since authentication of a user must have been completed
237 successfully before GPO security filtering and access control are
238 started, the Authenticated Users group permissions on the GPO
239 always apply also to the user.
240
241 NOTE: If the operation mode is set to enforcing, it is possible
242 that users that were previously allowed logon access will now be
243 denied logon access (as dictated by the GPO policy settings). In
244 order to facilitate a smooth transition for administrators, a
245 permissive mode is available that will not enforce the access
246 control rules, but will evaluate them and will output a syslog
247 message if access would have been denied. By examining the logs,
248 administrators can then make the necessary changes before setting
249 the mode to enforcing. For logging GPO-based access control debug
250 level 'trace functions' is required (see sssctl(8) manual page).
251
252 There are three supported values for this option:
253
254 · disabled: GPO-based access control rules are neither evaluated
255 nor enforced.
256
257 · enforcing: GPO-based access control rules are evaluated and
258 enforced.
259
260 · permissive: GPO-based access control rules are evaluated, but
261 not enforced. Instead, a syslog message will be emitted
262 indicating that the user would have been denied access if this
263 option's value were set to enforcing.
264
265 Default: enforcing
266
267 ad_gpo_implicit_deny (boolean)
268 Normally when no applicable GPOs are found the users are allowed
269 access. When this option is set to True users will be allowed
270 access only when explicitly allowed by a GPO rule. Otherwise users
271 will be denied access. This can be used to harden security but be
272 careful when using this option because it can deny access even to
273 users in the built-in Administrators group if no GPO rules apply to
274 them.
275
276 Default: False
277
278 The following 2 tables should illustrate when a user is allowed or
279 rejected based on the allow and deny login rights defined on the
280 server-side and the setting of ad_gpo_implicit_deny.
281
282 ┌───────────────────────────────────────────────┐
283 │ad_gpo_implicit_deny = False (default) │
284 ├────────────┬────────────┬─────────────────────┤
285 │allow-rules │ deny-rules │ results │
286 ├────────────┼────────────┼─────────────────────┤
287 │ missing │ missing │ all users are │
288 │ │ │ allowed │
289 ├────────────┼────────────┼─────────────────────┤
290 │ missing │ present │ only users not in │
291 │ │ │ deny-rules are │
292 │ │ │ allowed │
293 ├────────────┼────────────┼─────────────────────┤
294 │ present │ missing │ only users in │
295 │ │ │ allow-rules are │
296 │ │ │ allowed │
297 ├────────────┼────────────┼─────────────────────┤
298 │ present │ present │ only users in │
299 │ │ │ allow-rules and not │
300 │ │ │ in deny-rules are │
301 │ │ │ allowed │
302 └────────────┴────────────┴─────────────────────┘
303
304 ┌───────────────────────────────────────────────┐
305 │ad_gpo_implicit_deny = True │
306 ├────────────┬────────────┬─────────────────────┤
307 │allow-rules │ deny-rules │ results │
308 ├────────────┼────────────┼─────────────────────┤
309 │ missing │ missing │ no users are │
310 │ │ │ allowed │
311 ├────────────┼────────────┼─────────────────────┤
312 │ missing │ present │ no users are │
313 │ │ │ allowed │
314 ├────────────┼────────────┼─────────────────────┤
315 │ present │ missing │ only users in │
316 │ │ │ allow-rules are │
317 │ │ │ allowed │
318 ├────────────┼────────────┼─────────────────────┤
319 │ present │ present │ only users in │
320 │ │ │ allow-rules and not │
321 │ │ │ in deny-rules are │
322 │ │ │ allowed │
323 └────────────┴────────────┴─────────────────────┘
324
325 ad_gpo_ignore_unreadable (boolean)
326 Normally when some group policy containers (AD object) of
327 applicable group policy objects are not readable by SSSD then users
328 are denied access. This option allows to ignore group policy
329 containers and with them associated policies if their attributes in
330 group policy containers are not readable for SSSD.
331
332 Default: False
333
334 ad_gpo_cache_timeout (integer)
335 The amount of time between lookups of GPO policy files against the
336 AD server. This will reduce the latency and load on the AD server
337 if there are many access-control requests made in a short period.
338
339 Default: 5 (seconds)
340
341 ad_gpo_map_interactive (string)
342 A comma-separated list of PAM service names for which GPO-based
343 access control is evaluated based on the InteractiveLogonRight and
344 DenyInteractiveLogonRight policy settings. Only those GPOs are
345 evaluated for which the user has Read and Apply Group Policy
346 permission (see option “ad_gpo_access_control”). If an evaluated
347 GPO contains the deny interactive logon setting for the user or one
348 of its groups, the user is denied local access. If none of the
349 evaluated GPOs has an interactive logon right defined, the user is
350 granted local access. If at least one evaluated GPO contains
351 interactive logon right settings, the user is granted local access
352 only, if it or at least one of its groups is part of the policy
353 settings.
354
355 Note: Using the Group Policy Management Editor this value is called
356 "Allow log on locally" and "Deny log on locally".
357
358 It is possible to add another PAM service name to the default set
359 by using “+service_name” or to explicitly remove a PAM service name
360 from the default set by using “-service_name”. For example, in
361 order to replace a default PAM service name for this logon right
362 (e.g. “login”) with a custom pam service name (e.g.
363 “my_pam_service”), you would use the following configuration:
364
365 ad_gpo_map_interactive = +my_pam_service, -login
366
367
368 Default: the default set of PAM service names includes:
369
370 · login
371
372 · su
373
374 · su-l
375
376 · gdm-fingerprint
377
378 · gdm-password
379
380 · gdm-smartcard
381
382 · kdm
383
384 · lightdm
385
386 · lxdm
387
388 · sddm
389
390 · unity
391
392 · xdm
393
394
395 ad_gpo_map_remote_interactive (string)
396 A comma-separated list of PAM service names for which GPO-based
397 access control is evaluated based on the
398 RemoteInteractiveLogonRight and DenyRemoteInteractiveLogonRight
399 policy settings. Only those GPOs are evaluated for which the user
400 has Read and Apply Group Policy permission (see option
401 “ad_gpo_access_control”). If an evaluated GPO contains the deny
402 remote logon setting for the user or one of its groups, the user is
403 denied remote interactive access. If none of the evaluated GPOs has
404 a remote interactive logon right defined, the user is granted
405 remote access. If at least one evaluated GPO contains remote
406 interactive logon right settings, the user is granted remote access
407 only, if it or at least one of its groups is part of the policy
408 settings.
409
410 Note: Using the Group Policy Management Editor this value is called
411 "Allow log on through Remote Desktop Services" and "Deny log on
412 through Remote Desktop Services".
413
414 It is possible to add another PAM service name to the default set
415 by using “+service_name” or to explicitly remove a PAM service name
416 from the default set by using “-service_name”. For example, in
417 order to replace a default PAM service name for this logon right
418 (e.g. “sshd”) with a custom pam service name (e.g.
419 “my_pam_service”), you would use the following configuration:
420
421 ad_gpo_map_remote_interactive = +my_pam_service, -sshd
422
423
424 Default: the default set of PAM service names includes:
425
426 · sshd
427
428 · cockpit
429
430
431 ad_gpo_map_network (string)
432 A comma-separated list of PAM service names for which GPO-based
433 access control is evaluated based on the NetworkLogonRight and
434 DenyNetworkLogonRight policy settings. Only those GPOs are
435 evaluated for which the user has Read and Apply Group Policy
436 permission (see option “ad_gpo_access_control”). If an evaluated
437 GPO contains the deny network logon setting for the user or one of
438 its groups, the user is denied network logon access. If none of the
439 evaluated GPOs has a network logon right defined, the user is
440 granted logon access. If at least one evaluated GPO contains
441 network logon right settings, the user is granted logon access
442 only, if it or at least one of its groups is part of the policy
443 settings.
444
445 Note: Using the Group Policy Management Editor this value is called
446 "Access this computer from the network" and "Deny access to this
447 computer from the network".
448
449 It is possible to add another PAM service name to the default set
450 by using “+service_name” or to explicitly remove a PAM service name
451 from the default set by using “-service_name”. For example, in
452 order to replace a default PAM service name for this logon right
453 (e.g. “ftp”) with a custom pam service name (e.g.
454 “my_pam_service”), you would use the following configuration:
455
456 ad_gpo_map_network = +my_pam_service, -ftp
457
458
459 Default: the default set of PAM service names includes:
460
461 · ftp
462
463 · samba
464
465
466 ad_gpo_map_batch (string)
467 A comma-separated list of PAM service names for which GPO-based
468 access control is evaluated based on the BatchLogonRight and
469 DenyBatchLogonRight policy settings. Only those GPOs are evaluated
470 for which the user has Read and Apply Group Policy permission (see
471 option “ad_gpo_access_control”). If an evaluated GPO contains the
472 deny batch logon setting for the user or one of its groups, the
473 user is denied batch logon access. If none of the evaluated GPOs
474 has a batch logon right defined, the user is granted logon access.
475 If at least one evaluated GPO contains batch logon right settings,
476 the user is granted logon access only, if it or at least one of its
477 groups is part of the policy settings.
478
479 Note: Using the Group Policy Management Editor this value is called
480 "Allow log on as a batch job" and "Deny log on as a batch job".
481
482 It is possible to add another PAM service name to the default set
483 by using “+service_name” or to explicitly remove a PAM service name
484 from the default set by using “-service_name”. For example, in
485 order to replace a default PAM service name for this logon right
486 (e.g. “crond”) with a custom pam service name (e.g.
487 “my_pam_service”), you would use the following configuration:
488
489 ad_gpo_map_batch = +my_pam_service, -crond
490
491
492 Note: Cron service name may differ depending on Linux distribution
493 used.
494
495 Default: the default set of PAM service names includes:
496
497 · crond
498
499
500 ad_gpo_map_service (string)
501 A comma-separated list of PAM service names for which GPO-based
502 access control is evaluated based on the ServiceLogonRight and
503 DenyServiceLogonRight policy settings. Only those GPOs are
504 evaluated for which the user has Read and Apply Group Policy
505 permission (see option “ad_gpo_access_control”). If an evaluated
506 GPO contains the deny service logon setting for the user or one of
507 its groups, the user is denied service logon access. If none of the
508 evaluated GPOs has a service logon right defined, the user is
509 granted logon access. If at least one evaluated GPO contains
510 service logon right settings, the user is granted logon access
511 only, if it or at least one of its groups is part of the policy
512 settings.
513
514 Note: Using the Group Policy Management Editor this value is called
515 "Allow log on as a service" and "Deny log on as a service".
516
517 It is possible to add a PAM service name to the default set by
518 using “+service_name”. Since the default set is empty, it is not
519 possible to remove a PAM service name from the default set. For
520 example, in order to add a custom pam service name (e.g.
521 “my_pam_service”), you would use the following configuration:
522
523 ad_gpo_map_service = +my_pam_service
524
525
526 Default: not set
527
528 ad_gpo_map_permit (string)
529 A comma-separated list of PAM service names for which GPO-based
530 access is always granted, regardless of any GPO Logon Rights.
531
532 It is possible to add another PAM service name to the default set
533 by using “+service_name” or to explicitly remove a PAM service name
534 from the default set by using “-service_name”. For example, in
535 order to replace a default PAM service name for unconditionally
536 permitted access (e.g. “sudo”) with a custom pam service name
537 (e.g. “my_pam_service”), you would use the following
538 configuration:
539
540 ad_gpo_map_permit = +my_pam_service, -sudo
541
542
543 Default: the default set of PAM service names includes:
544
545 · polkit-1
546
547 · sudo
548
549 · sudo-i
550
551 · systemd-user
552
553
554 ad_gpo_map_deny (string)
555 A comma-separated list of PAM service names for which GPO-based
556 access is always denied, regardless of any GPO Logon Rights.
557
558 It is possible to add a PAM service name to the default set by
559 using “+service_name”. Since the default set is empty, it is not
560 possible to remove a PAM service name from the default set. For
561 example, in order to add a custom pam service name (e.g.
562 “my_pam_service”), you would use the following configuration:
563
564 ad_gpo_map_deny = +my_pam_service
565
566
567 Default: not set
568
569 ad_gpo_default_right (string)
570 This option defines how access control is evaluated for PAM service
571 names that are not explicitly listed in one of the ad_gpo_map_*
572 options. This option can be set in two different manners. First,
573 this option can be set to use a default logon right. For example,
574 if this option is set to 'interactive', it means that unmapped PAM
575 service names will be processed based on the InteractiveLogonRight
576 and DenyInteractiveLogonRight policy settings. Alternatively, this
577 option can be set to either always permit or always deny access for
578 unmapped PAM service names.
579
580 Supported values for this option include:
581
582 · interactive
583
584 · remote_interactive
585
586 · network
587
588 · batch
589
590 · service
591
592 · permit
593
594 · deny
595
596 Default: deny
597
598 ad_maximum_machine_account_password_age (integer)
599 SSSD will check once a day if the machine account password is older
600 than the given age in days and try to renew it. A value of 0 will
601 disable the renewal attempt.
602
603 Default: 30 days
604
605 ad_machine_account_password_renewal_opts (string)
606 This option should only be used to test the machine account renewal
607 task. The option expects 2 integers separated by a colon (':'). The
608 first integer defines the interval in seconds how often the task is
609 run. The second specifies the initial timeout in seconds before the
610 task is run for the first time after startup.
611
612 Default: 86400:750 (24h and 15m)
613
614 ad_update_samba_machine_account_password (boolean)
615 If enabled, when SSSD renews the machine account password, it will
616 also be updated in Samba's database. This prevents Samba's copy of
617 the machine account password from getting out of date when it is
618 set up to use AD for authentication.
619
620 Default: false
621
622 ad_use_ldaps (bool)
623 By default SSSD uses the plain LDAP port 389 and the Global Catalog
624 port 3628. If this option is set to True SSSD will use the LDAPS
625 port 636 and Global Catalog port 3629 with LDAPS protection. Since
626 AD does not allow to have multiple encryption layers on a single
627 connection and we still want to use SASL/GSSAPI or SASL/GSS-SPNEGO
628 for authentication the SASL security property maxssf is set to 0
629 (zero) for those connections.
630
631 Default: False
632
633 ad_allow_remote_domain_local_groups (boolean)
634 If this option is set to “true” SSSD will not filter out Domain
635 Local groups from remote domains in the AD forest. By default they
636 are filtered out e.g. when following a nested group hierarchy in
637 remote domains because they are not valid in the local domain. To
638 be compatible with other solutions which make AD users and groups
639 available on Linux client this option was added.
640
641 Please note that setting this option to “true” will be against the
642 intention of Domain Local group in Active Directory and SHOULD ONLY
643 BE USED TO FACILITATE MIGRATION FROM OTHER SOLUTIONS. Although the
644 group exists and user can be member of the group the intention is
645 that the group should be only used in the domain it is defined and
646 in no others. Since there is only one type of POSIX groups the only
647 way to achieve this on the Linux side is to ignore those groups.
648 This is also done by Active Directory as can be seen in the PAC of
649 the Kerberos ticket for a local service or in tokenGroups requests
650 where remote Domain Local groups are missing as well.
651
652 Given the comments above, if this option is set to “true” the
653 tokenGroups request must be disabled by setting
654 “ldap_use_tokengroups” to “false” to get consistent
655 group-memberships of a users. Additionally the Global Catalog
656 lookup should be skipped as well by setting “ad_enable_gc” to
657 “false”. Finally it might be necessary to modify
658 “ldap_group_nesting_level” if the remote Domain Local groups can
659 only be found with a deeper nesting level.
660
661 Default: False
662
663 dyndns_update (boolean)
664 Optional. This option tells SSSD to automatically update the Active
665 Directory DNS server with the IP address of this client. The update
666 is secured using GSS-TSIG. As a consequence, the Active Directory
667 administrator only needs to allow secure updates for the DNS zone.
668 The IP address of the AD LDAP connection is used for the updates,
669 if it is not otherwise specified by using the “dyndns_iface”
670 option.
671
672 NOTE: On older systems (such as RHEL 5), for this behavior to work
673 reliably, the default Kerberos realm must be set properly in
674 /etc/krb5.conf
675
676 Default: true
677
678 dyndns_ttl (integer)
679 The TTL to apply to the client DNS record when updating it. If
680 dyndns_update is false this has no effect. This will override the
681 TTL serverside if set by an administrator.
682
683 Default: 3600 (seconds)
684
685 dyndns_iface (string)
686 Optional. Applicable only when dyndns_update is true. Choose the
687 interface or a list of interfaces whose IP addresses should be used
688 for dynamic DNS updates. Special value “*” implies that IPs from
689 all interfaces should be used.
690
691 Default: Use the IP addresses of the interface which is used for AD
692 LDAP connection
693
694 Example: dyndns_iface = em1, vnet1, vnet2
695
696 dyndns_refresh_interval (integer)
697 How often should the back end perform periodic DNS update in
698 addition to the automatic update performed when the back end goes
699 online. This option is optional and applicable only when
700 dyndns_update is true. Note that the lowest possible value is 60
701 seconds in-case if value is provided less than 60, parameter will
702 assume lowest value only.
703
704 Default: 86400 (24 hours)
705
706 dyndns_update_ptr (bool)
707 Whether the PTR record should also be explicitly updated when
708 updating the client's DNS records. Applicable only when
709 dyndns_update is true.
710
711 Default: True
712
713 dyndns_force_tcp (bool)
714 Whether the nsupdate utility should default to using TCP for
715 communicating with the DNS server.
716
717 Default: False (let nsupdate choose the protocol)
718
719 dyndns_auth (string)
720 Whether the nsupdate utility should use GSS-TSIG authentication for
721 secure updates with the DNS server, insecure updates can be sent by
722 setting this option to 'none'.
723
724 Default: GSS-TSIG
725
726 dyndns_auth_ptr (string)
727 Whether the nsupdate utility should use GSS-TSIG authentication for
728 secure PTR updates with the DNS server, insecure updates can be
729 sent by setting this option to 'none'.
730
731 Default: Same as dyndns_auth
732
733 dyndns_server (string)
734 The DNS server to use when performing a DNS update. In most setups,
735 it's recommended to leave this option unset.
736
737 Setting this option makes sense for environments where the DNS
738 server is different from the identity server.
739
740 Please note that this option will be only used in fallback attempt
741 when previous attempt using autodetected settings failed.
742
743 Default: None (let nsupdate choose the server)
744
745 dyndns_update_per_family (boolean)
746 DNS update is by default performed in two steps - IPv4 update and
747 then IPv6 update. In some cases it might be desirable to perform
748 IPv4 and IPv6 update in single step.
749
750 Default: true
751
752 override_homedir (string)
753 Override the user's home directory. You can either provide an
754 absolute value or a template. In the template, the following
755 sequences are substituted:
756
757 %u
758 login name
759
760 %U
761 UID number
762
763 %d
764 domain name
765
766 %f
767 fully qualified user name (user@domain)
768
769 %l
770 The first letter of the login name.
771
772 %P
773 UPN - User Principal Name (name@REALM)
774
775 %o
776 The original home directory retrieved from the identity
777 provider.
778
779 %H
780 The value of configure option homedir_substring.
781
782 %%
783 a literal '%'
784
785 This option can also be set per-domain.
786
787 example:
788
789 override_homedir = /home/%u
790
791
792 Default: Not set (SSSD will use the value retrieved from LDAP)
793
794 homedir_substring (string)
795 The value of this option will be used in the expansion of the
796 override_homedir option if the template contains the format string
797 %H. An LDAP directory entry can directly contain this template so
798 that this option can be used to expand the home directory path for
799 each client machine (or operating system). It can be set per-domain
800 or globally in the [nss] section. A value specified in a domain
801 section will override one set in the [nss] section.
802
803 Default: /home
804
805 krb5_confd_path (string)
806 Absolute path of a directory where SSSD should place Kerberos
807 configuration snippets.
808
809 To disable the creation of the configuration snippets set the
810 parameter to 'none'.
811
812 Default: not set (krb5.include.d subdirectory of SSSD's pubconf
813 directory)
814
816 Certain option defaults do not match their respective backend provider
817 defaults, these option names and AD provider-specific defaults are
818 listed below:
819
820 KRB5 Provider
821 · krb5_validate = true
822
823 · krb5_use_enterprise_principal = true
824
825 LDAP Provider
826 · ldap_schema = ad
827
828 · ldap_force_upper_case_realm = true
829
830 · ldap_id_mapping = true
831
832 · ldap_sasl_mech = GSS-SPNEGO
833
834 · ldap_referrals = false
835
836 · ldap_account_expire_policy = ad
837
838 · ldap_use_tokengroups = true
839
840 · ldap_sasl_authid = sAMAccountName@REALM (typically
841 SHORTNAME$@REALM)
842
843 The AD provider looks for a different principal than the LDAP
844 provider by default, because in an Active Directory environment the
845 principals are divided into two groups - User Principals and
846 Service Principals. Only User Principal can be used to obtain a TGT
847 and by default, computer object's principal is constructed from its
848 sAMAccountName and the AD realm. The well-known host/hostname@REALM
849 principal is a Service Principal and thus cannot be used to get a
850 TGT with.
851
852 NSS configuration
853 · fallback_homedir = /home/%d/%u
854
855 The AD provider automatically sets "fallback_homedir = /home/%d/%u"
856 to provide personal home directories for users without the
857 homeDirectory attribute. If your AD Domain is properly populated
858 with Posix attributes, and you want to avoid this fallback
859 behavior, you can explicitly set "fallback_homedir = %o".
860
861 Note that the system typically expects a home directory in /home/%u
862 folder. If you decide to use a different directory structure, some
863 other parts of your system may need adjustments.
864
865 For example automated creation of home directories in combination
866 with selinux requires selinux adjustment, otherwise the home
867 directory will be created with wrong selinux context.
868
870 The failover feature allows back ends to automatically switch to a
871 different server if the current server fails.
872
873 Failover Syntax
874 The list of servers is given as a comma-separated list; any number of
875 spaces is allowed around the comma. The servers are listed in order of
876 preference. The list can contain any number of servers.
877
878 For each failover-enabled config option, two variants exist: primary
879 and backup. The idea is that servers in the primary list are preferred
880 and backup servers are only searched if no primary servers can be
881 reached. If a backup server is selected, a timeout of 31 seconds is
882 set. After this timeout SSSD will periodically try to reconnect to one
883 of the primary servers. If it succeeds, it will replace the current
884 active (backup) server.
885
886 The Failover Mechanism
887 The failover mechanism distinguishes between a machine and a service.
888 The back end first tries to resolve the hostname of a given machine; if
889 this resolution attempt fails, the machine is considered offline. No
890 further attempts are made to connect to this machine for any other
891 service. If the resolution attempt succeeds, the back end tries to
892 connect to a service on this machine. If the service connection attempt
893 fails, then only this particular service is considered offline and the
894 back end automatically switches over to the next service. The machine
895 is still considered online and might still be tried for another
896 service.
897
898 Further connection attempts are made to machines or services marked as
899 offline after a specified period of time; this is currently hard coded
900 to 30 seconds.
901
902 If there are no more machines to try, the back end as a whole switches
903 to offline mode, and then attempts to reconnect every 30 seconds.
904
905 Failover time outs and tuning
906 Resolving a server to connect to can be as simple as running a single
907 DNS query or can involve several steps, such as finding the correct
908 site or trying out multiple host names in case some of the configured
909 servers are not reachable. The more complex scenarios can take some
910 time and SSSD needs to balance between providing enough time to finish
911 the resolution process but on the other hand, not trying for too long
912 before falling back to offline mode. If the SSSD debug logs show that
913 the server resolution is timing out before a live server is contacted,
914 you can consider changing the time outs.
915
916 This section lists the available tunables. Please refer to their
917 description in the sssd.conf(5), manual page.
918
919 dns_resolver_server_timeout
920 Time in milliseconds that sets how long would SSSD talk to a single
921 DNS server before trying next one.
922
923 Default: 1000
924
925 dns_resolver_op_timeout
926 Time in seconds to tell how long would SSSD try to resolve single
927 DNS query (e.g. resolution of a hostname or an SRV record) before
928 trying the next hostname or discovery domain.
929
930 Default: 3
931
932 dns_resolver_timeout
933 How long would SSSD try to resolve a failover service. This service
934 resolution internally might include several steps, such as
935 resolving DNS SRV queries or locating the site.
936
937 Default: 6
938
939 For LDAP-based providers, the resolve operation is performed as part of
940 an LDAP connection operation. Therefore, also the “ldap_opt_timeout”
941 timeout should be set to a larger value than “dns_resolver_timeout”
942 which in turn should be set to a larger value than
943 “dns_resolver_op_timeout” which should be larger than
944 “dns_resolver_server_timeout”.
945
947 The service discovery feature allows back ends to automatically find
948 the appropriate servers to connect to using a special DNS query. This
949 feature is not supported for backup servers.
950
951 Configuration
952 If no servers are specified, the back end automatically uses service
953 discovery to try to find a server. Optionally, the user may choose to
954 use both fixed server addresses and service discovery by inserting a
955 special keyword, “_srv_”, in the list of servers. The order of
956 preference is maintained. This feature is useful if, for example, the
957 user prefers to use service discovery whenever possible, and fall back
958 to a specific server when no servers can be discovered using DNS.
959
960 The domain name
961 Please refer to the “dns_discovery_domain” parameter in the
962 sssd.conf(5) manual page for more details.
963
964 The protocol
965 The queries usually specify _tcp as the protocol. Exceptions are
966 documented in respective option description.
967
968 See Also
969 For more information on the service discovery mechanism, refer to RFC
970 2782.
971
973 The ID-mapping feature allows SSSD to act as a client of Active
974 Directory without requiring administrators to extend user attributes to
975 support POSIX attributes for user and group identifiers.
976
977 NOTE: When ID-mapping is enabled, the uidNumber and gidNumber
978 attributes are ignored. This is to avoid the possibility of conflicts
979 between automatically-assigned and manually-assigned values. If you
980 need to use manually-assigned values, ALL values must be
981 manually-assigned.
982
983 Please note that changing the ID mapping related configuration options
984 will cause user and group IDs to change. At the moment, SSSD does not
985 support changing IDs, so the SSSD database must be removed. Because
986 cached passwords are also stored in the database, removing the database
987 should only be performed while the authentication servers are
988 reachable, otherwise users might get locked out. In order to cache the
989 password, an authentication must be performed. It is not sufficient to
990 use sss_cache(8) to remove the database, rather the process consists
991 of:
992
993 · Making sure the remote servers are reachable
994
995 · Stopping the SSSD service
996
997 · Removing the database
998
999 · Starting the SSSD service
1000
1001 Moreover, as the change of IDs might necessitate the adjustment of
1002 other system properties such as file and directory ownership, it's
1003 advisable to plan ahead and test the ID mapping configuration
1004 thoroughly.
1005
1006 Mapping Algorithm
1007 Active Directory provides an objectSID for every user and group object
1008 in the directory. This objectSID can be broken up into components that
1009 represent the Active Directory domain identity and the relative
1010 identifier (RID) of the user or group object.
1011
1012 The SSSD ID-mapping algorithm takes a range of available UIDs and
1013 divides it into equally-sized component sections - called "slices"-.
1014 Each slice represents the space available to an Active Directory
1015 domain.
1016
1017 When a user or group entry for a particular domain is encountered for
1018 the first time, the SSSD allocates one of the available slices for that
1019 domain. In order to make this slice-assignment repeatable on different
1020 client machines, we select the slice based on the following algorithm:
1021
1022 The SID string is passed through the murmurhash3 algorithm to convert
1023 it to a 32-bit hashed value. We then take the modulus of this value
1024 with the total number of available slices to pick the slice.
1025
1026 NOTE: It is possible to encounter collisions in the hash and subsequent
1027 modulus. In these situations, we will select the next available slice,
1028 but it may not be possible to reproduce the same exact set of slices on
1029 other machines (since the order that they are encountered will
1030 determine their slice). In this situation, it is recommended to either
1031 switch to using explicit POSIX attributes in Active Directory
1032 (disabling ID-mapping) or configure a default domain to guarantee that
1033 at least one is always consistent. See “Configuration” for details.
1034
1035 Configuration
1036 Minimum configuration (in the “[domain/DOMAINNAME]” section):
1037
1038 ldap_id_mapping = True
1039 ldap_schema = ad
1040
1041 The default configuration results in configuring 10,000 slices, each
1042 capable of holding up to 200,000 IDs, starting from 200,000 and going
1043 up to 2,000,200,000. This should be sufficient for most deployments.
1044
1045 Advanced Configuration
1046 ldap_idmap_range_min (integer)
1047 Specifies the lower bound of the range of POSIX IDs to use for
1048 mapping Active Directory user and group SIDs.
1049
1050 NOTE: This option is different from “min_id” in that “min_id”
1051 acts to filter the output of requests to this domain, whereas
1052 this option controls the range of ID assignment. This is a
1053 subtle distinction, but the good general advice would be to
1054 have “min_id” be less-than or equal to “ldap_idmap_range_min”
1055
1056 Default: 200000
1057
1058 ldap_idmap_range_max (integer)
1059 Specifies the upper bound of the range of POSIX IDs to use for
1060 mapping Active Directory user and group SIDs.
1061
1062 NOTE: This option is different from “max_id” in that “max_id”
1063 acts to filter the output of requests to this domain, whereas
1064 this option controls the range of ID assignment. This is a
1065 subtle distinction, but the good general advice would be to
1066 have “max_id” be greater-than or equal to
1067 “ldap_idmap_range_max”
1068
1069 Default: 2000200000
1070
1071 ldap_idmap_range_size (integer)
1072 Specifies the number of IDs available for each slice. If the
1073 range size does not divide evenly into the min and max values,
1074 it will create as many complete slices as it can.
1075
1076 NOTE: The value of this option must be at least as large as the
1077 highest user RID planned for use on the Active Directory
1078 server. User lookups and login will fail for any user whose RID
1079 is greater than this value.
1080
1081 For example, if your most recently-added Active Directory user
1082 has objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
1083 “ldap_idmap_range_size” must be at least 1108 as range size is
1084 equal to maximal SID minus minimal SID plus one (e.g. 1108 =
1085 1107 - 0 + 1).
1086
1087 It is important to plan ahead for future expansion, as changing
1088 this value will result in changing all of the ID mappings on
1089 the system, leading to users with different local IDs than they
1090 previously had.
1091
1092 Default: 200000
1093
1094 ldap_idmap_default_domain_sid (string)
1095 Specify the domain SID of the default domain. This will
1096 guarantee that this domain will always be assigned to slice
1097 zero in the ID map, bypassing the murmurhash algorithm
1098 described above.
1099
1100 Default: not set
1101
1102 ldap_idmap_default_domain (string)
1103 Specify the name of the default domain.
1104
1105 Default: not set
1106
1107 ldap_idmap_autorid_compat (boolean)
1108 Changes the behavior of the ID-mapping algorithm to behave more
1109 similarly to winbind's “idmap_autorid” algorithm.
1110
1111 When this option is configured, domains will be allocated
1112 starting with slice zero and increasing monatomically with each
1113 additional domain.
1114
1115 NOTE: This algorithm is non-deterministic (it depends on the
1116 order that users and groups are requested). If this mode is
1117 required for compatibility with machines running winbind, it is
1118 recommended to also use the “ldap_idmap_default_domain_sid”
1119 option to guarantee that at least one domain is consistently
1120 allocated to slice zero.
1121
1122 Default: False
1123
1124 ldap_idmap_helper_table_size (integer)
1125 Maximal number of secondary slices that is tried when
1126 performing mapping from UNIX id to SID.
1127
1128 Note: Additional secondary slices might be generated when SID
1129 is being mapped to UNIX id and RID part of SID is out of range
1130 for secondary slices generated so far. If value of
1131 ldap_idmap_helper_table_size is equal to 0 then no additional
1132 secondary slices are generated.
1133
1134 Default: 10
1135
1136 Well-Known SIDs
1137 SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a
1138 special hardcoded meaning. Since the generic users and groups related
1139 to those Well-Known SIDs have no equivalent in a Linux/UNIX environment
1140 no POSIX IDs are available for those objects.
1141
1142 The SID name space is organized in authorities which can be seen as
1143 different domains. The authorities for the Well-Known SIDs are
1144
1145 · Null Authority
1146
1147 · World Authority
1148
1149 · Local Authority
1150
1151 · Creator Authority
1152
1153 · NT Authority
1154
1155 · Built-in
1156
1157 The capitalized version of these names are used as domain names when
1158 returning the fully qualified name of a Well-Known SID.
1159
1160 Since some utilities allow to modify SID based access control
1161 information with the help of a name instead of using the SID directly
1162 SSSD supports to look up the SID by the name as well. To avoid
1163 collisions only the fully qualified names can be used to look up
1164 Well-Known SIDs. As a result the domain names “NULL AUTHORITY”, “WORLD
1165 AUTHORITY”, “ LOCAL AUTHORITY”, “CREATOR AUTHORITY”, “NT AUTHORITY” and
1166 “BUILTIN” should not be used as domain names in sssd.conf.
1167
1169 The following example assumes that SSSD is correctly configured and
1170 example.com is one of the domains in the [sssd] section. This example
1171 shows only the AD provider-specific options.
1172
1173 [domain/EXAMPLE]
1174 id_provider = ad
1175 auth_provider = ad
1176 access_provider = ad
1177 chpass_provider = ad
1178
1179 ad_server = dc1.example.com
1180 ad_hostname = client.example.com
1181 ad_domain = example.com
1182
1183
1185 The AD access control provider checks if the account is expired. It has
1186 the same effect as the following configuration of the LDAP provider:
1187
1188 access_provider = ldap
1189 ldap_access_order = expire
1190 ldap_account_expire_policy = ad
1191
1192 However, unless the “ad” access control provider is explicitly
1193 configured, the default access provider is “permit”. Please note that
1194 if you configure an access provider other than “ad”, you need to set
1195 all the connection parameters (such as LDAP URIs and encryption
1196 details) manually.
1197
1198 When the autofs provider is set to “ad”, the RFC2307 schema attribute
1199 mapping (nisMap, nisObject, ...) is used, because these attributes are
1200 included in the default Active Directory schema.
1201
1203 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1204 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
1205 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
1206 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1207 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
1208 sssd-systemtap(5)
1209
1211 The SSSD upstream - https://github.com/SSSD/sssd/
1212
1214 1. [MS-ADTS] section LDAP extensions
1215 https://msdn.microsoft.com/en-us/library/cc223367.aspx
1216
1217
1218
1219SSSD 02/19/2021 SSSD-AD(5)