![\"sssd\"](\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2021\/09\/sssd.png\")
<\/p>\n<\/p>\n
SSSD permet de faire communiquer une machine linux et un domaine Active Directory. L\u2019AD g\u00e8re la gestion des identit\u00e9s dans de nombreux parcs informatique. SSSD permet d\u2019authentifier les utilisateurs de linux sur l\u2019Active Directory. Il offre \u00e9galement l\u2019authentification hors-ligne et \u00e9vite le doublement de compte en cas de non-connexion avec le r\u00e9seau de l\u2019entreprise.<\/p>\n
<\/p>\n
V\u00e9rifier que vous n’utilisiez pas pr\u00e9c\u00e9demment nscd, dans le cas contraire, il vous faut les d\u00e9sinstaller<\/p>\n
# apt-get remove --purge nscd nslcd nslcd-utils ldap-utils libnss-ldapd libpam-ldapd\n<\/code><\/pre>\nInstaller sssd<\/p>\n
# apt-get autoclean && apt-get autoremove\n# apt-get install samba-common-bin sssd-tools sssd libnss-sss libpam-sss realmd packagekit\n<\/code><\/pre>\nInt\u00e9grer la machine avant Debian 9 au domaine avec les commandes suivantes<\/p>\n
# mkdir -p \/var\/lib\/samba\/private\n# realm join --user=colombet AD.MONDOMAINE.FR \n<\/code><\/pre>\nou int\u00e9grer la machine apr\u00e8s Debian 9 au domaine avec les commandes suivantes<\/p>\n
# realm join --user=colombet AD.MONDOMAINE.FR --install=\/\n# adcli join --user=colombet AD.MONDOMAINE.FR\n<\/code><\/pre>\nCr\u00e9ation automatique du homedirectory avec le paquet suivant<\/p>\n
# apt-get install oddjob-mkhomedir\n<\/code><\/pre>\n# echo \"session required pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022\" | tee -a \/etc\/pam.d\/common-session\n<\/code><\/pre>\nCr\u00e9er un fichier template de sssd<\/p>\n
# vi \/etc\/sssd\/sssd.conf.ori\n\n[sssd]\ndomains = AD.MONDOMAINE.FR\nconfig_file_version = 2\nservices = nss, pam\nsbus_timeout = 30\n\n[nss]\nfilter_users = root\nfilter_groups = root\nreconnection_retries = 5\n\n[pam]\nreconnection_retries = 5\noffline_credentials_expiration = 0\n\n[domain\/AD.MONDOMAINE.FR]\nad_domain = AD.MONDOMAINE.FR\nkrb5_realm = AD.MONDOMAINE.FR\nrealmd_tags = manages-system joined-with-samba\ncache_credentials = True\nid_provider = ad\nkrb5_store_password_if_offline = True\ndefault_shell = \/bin\/bash\nldap_sasl_authid = NOM_DE_LA_MACHINE$\nldap_id_mapping = True\nuse_fully_qualified_names = False\nfallback_homedir = \/home\/%u\n#access_provider = ad\naccess_provider = simple\n<\/code><\/pre>\nCopier le fichier template sssd<\/p>\n
# cp \/etc\/sssd\/sssd.conf.ori \/etc\/sssd\/sssd.conf\n# chmod 600 \/etc\/sssd\/sssd.conf*\n<\/code><\/pre>\nActiver le service sssd et relancer la machine<\/p>\n
# systemctl enable sssd && systemctl start sssd\n# pam-auth-update --force\n# reboot\n<\/code><\/pre>\nTester la bonne int\u00e9gration au domaine<\/p>\n
# id colombet\nuid=1000(colombet) gid=1000(colombet) groups=2000(sudo)\n<\/code><\/pre>\nActiver l’utilisateur de faire su sudo via le groupe sudo<\/p>\n
# apt-get install libsss-sudo\n# echo \"%sudo ALL=(ALL:ALL) NOPASSWD:ALL\" | sudo tee -a \/etc\/sudoers.d\/domain_admins\n\n# vi \/etc\/nsswitch.conf\nsudoers: files\n<\/code><\/pre>\nPour CENTOS 6<\/h3>\n
Installer sssd<\/p>\n
# yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common ntpdate ntp\n<\/code><\/pre>\nInt\u00e9grer la machine au domaine avec les commandes suivantes<\/p>\n
# adcli join --user=colombet AD.MONDOMAINE.FR\nPassword for colombet@AD.MONDOMAINE.FR:\n<\/code><\/pre>\nCr\u00e9er le fichier sssd<\/p>\n
# egrep -v '(^#|^$)' \/etc\/sssd\/sssd.conf\n[sssd]\ndomains = AD.MONDOMAINE.FR\nconfig_file_version = 2\nreconnection_retries = 3\nsbus_timeout = 30\nservices = nss, pam\n\n[nss]\nfilter_groups = root\nfilter_users = root\nreconnection_retries = 3\nentry_cache_timeout = 300\nentry_cache_nowait_percentage = 75\n\n[domain\/AD.MONDOMAINE.FR]\nad_domain = AD.MONDOMAINE.FR\nkrb5_realm = AD.MONDOMAINE.FR\nrealmd_tags = manages-system joined-with-samba\ncache_credentials = True\nid_provider = ad\nkrb5_store_password_if_offline = True\ndefault_shell = \/bin\/bash\nldap_id_mapping = True\nuse_fully_qualified_names = False\nfallback_homedir = \/home\/%u\naccess_provider = ad\n\n# chmod 600 \/etc\/sssd\/sssd.conf*\n\n# \/etc\/init.d\/sssd restart\n\n# chkconfig sssd on\n\n# chkconfig sssd --list\nsssd 0:arr\u00eat 1:arr\u00eat 2:marche 3:marche 4:marche 5:marche 6:arr\u00eat\n\n# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update\n\n# egrep -v '(^#|^$)' \/etc\/nsswitch.conf\npasswd: files sss\nshadow: files sss\ngroup: files sss\nhosts: files dns\nbootparams: nisplus [NOTFOUND=return] files\nethers: files\nnetmasks: files\nnetworks: files\nprotocols: files\nrpc: files\nservices: files sss\nnetgroup: files sss\nsudoers: files sss\npublickey: nisplus\nautomount: files sss\naliases: files nisplus\n\n# ln -s \/etc\/pam.d\/system-auth-local \/etc\/pam.d\/system-auth\n\n# echo \"%domain\\ admins ALL=(ALL:ALL) NOPASSWD:ALL\" | sudo tee -a \/etc\/sudoers.d\/domain_admins\n\n# egrep -v '(^#|^$)' \/etc\/pam.d\/system-auth\nauth required pam_env.so\nauth sufficient pam_unix.so try_first_pass nullok\nauth requisite pam_succeed_if.so uid >= 500 quiet\nauth sufficient pam_sss.so use_first_pass\nauth required pam_deny.so\naccount required pam_unix.so broken_shadow\naccount sufficient pam_localuser.so\naccount sufficient pam_succeed_if.so uid < 500 quiet\naccount [default=bad success=ok user_unknown=ignore] pam_sss.so\naccount required pam_permit.so\npassword requisite pam_cracklib.so try_first_pass retry=3\npassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok\npassword sufficient pam_sss.so use_authtok\npassword required pam_deny.so\nsession optional pam_keyinit.so revoke\nsession required pam_limits.so\nsession optional pam_oddjob_mkhomedir.so\nsession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid\nsession required pam_unix.so\nsession optional pam_sss.so\n<\/code><\/pre>\nDEBUG<\/h2>\n
Sortir du domaine :<\/p>\n
# realm leave -U colombet AD.MONDOMAINE.FR\n<\/code><\/pre>\nEntrer dans un domaine :<\/p>\n
# realm join -U colombet AD.MONDOMAINE.FR\n<\/code><\/pre>\nEffacer le cache SSSD<\/p>\n
sss_cache -E\n<\/code><\/pre>\nservice sssd stop\nrm -f \/var\/lib\/sss\/db\/*\nrm -f \/var\/lib\/sss\/mc\/*\nservice sssd start\ngetent passwd Administrator@ad.example.com\n<\/code><\/pre>\nErreurs pouvant apparaitre dans vos logs :<\/p>\n
Comment faire pour que sudo cesse de vous envoyer des mails inutiles ? Ce probl\u00e8me est caus\u00e9 par le fait que le sudo cherche des directives dans un endroit o\u00f9 il ne les trouve pas : sss. Editer le fichier \/etc\/nsswitch.conf afin de modifier les valeurs de l’entr\u00e9e sudoers.<\/p>\n
sudoers: files sss\n\npar\n\nsudoers: files\n<\/code><\/pre>\nL’erreur suivante apparait, car il manque des paquets debian :<\/p>\n
localhost realmd[12345]: couldn't check polkit authorization: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.PolicyKit1 was not provided by any .service files\n<\/code><\/pre>\nPour y rem\u00e9dier, installer les paquets suivants :<\/p>\n
# apt-get install libpolkit-agent-1-0 libpolkit-backend-1-0 policykit-1\n<\/code><\/pre>\nR\u00e9f\u00e9rences<\/h2>\n\n- https:\/\/fedorahosted.org\/sssd\/wiki\/Configuring_sssd_with_ad_server<\/a><\/li>\n
- https:\/\/it.izero.fr\/linux-joindre-machine-debian-9-stretch-domaine-active-directory\/<\/a><\/li>\n
- https:\/\/answers.launchpad.net\/ubuntu\/+question\/293540<\/a><\/li>\n
- https:\/\/bugs.freedesktop.org\/show_bug.cgi?id=90683<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
SSSD permet de faire communiquer une machine linux et un domaine Active Directory. L\u2019AD g\u00e8re la gestion des identit\u00e9s dans de nombreux parcs informatique. SSSD permet d\u2019authentifier les utilisateurs de linux sur l\u2019Active Directory. Il offre \u00e9galement l\u2019authentification hors-ligne et \u00e9vite le doublement de compte en cas de non-connexion avec le r\u00e9seau de l\u2019entreprise.<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,12],"tags":[83,84,4,85],"class_list":["post-550","post","type-post","status-publish","format-standard","hentry","category-linux","category-samba","tag-nas","tag-openmediavault","tag-samba","tag-sssd"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paBEVZ-8S","jetpack_likes_enabled":false,"_links":{"self":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/comments?post=550"}],"version-history":[{"count":1,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/550\/revisions"}],"predecessor-version":[{"id":551,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/550\/revisions\/551"}],"wp:attachment":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/media?parent=550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/categories?post=550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/tags?post=550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}