active-directory – Linux: Converting from NIS to AD Auth, How to Associate Old UID/GID to New Users?

active-directorysssduid

Background: Our org has used NIS for 20+ years for UNIX/Linux authentication, continuing thru the present time. Windows and Active Directory came on the scene in our org sometime around 16 years ago, but AD was never used for Linux auth (only using RHEL/CentOS and Ubuntu Linux now, all other *nix has fallen by the wayside.) So, on all of our many Linux resources, we are still using traditional UID/GID ranges for users' files.

Now, management has finally dictated that we need to move to AD for Linux auth, and stop using NIS (no real argument there 😉 and so we are working on utilizing SSSD to do this (which seems to be the popular [only?] way to integrate Linux auth against AD.) The issue we are facing is how to associate the old NIS-based UID and GID values for the users to their new AD-based identity. For instance, my AD-auth'd user on a test system has this from getent passwd -s sss wdennis:

root@vm01:~# getent passwd -s sss wdennis
wdennis:*:140001116:140000513:Will Dennis:/home/wdennis:/bin/bash

So obviously the UID/GID is auto-generated, and does not correspond with our current NIS values. In doing some research on AD and its schema, I see that the user attributes include the following:

uidNumber
gidNumber
unixHomeDirectory
loginShell

My question, can SSSD (or whatever we use to auth) somehow consume the values of uidNumber and gidNumber to map the existing UID/GID of files to the new AD-auth'd user? Or, how else can we associate the existing file ownership info to the AD-auth'd users? (Due to the number of files and machines having them, it's not really possible to chown the files to the new UID/GID vales…)

Best Answer

Yes, sssd can use the POSIX attributes from AD instead of doing its own ID mapping.

In the section for your AD domain in /etc/sssd/sssd.conf, simply set ldap_id_mapping = false.

If you have already used sssd's automatic ID mapping on a computer, be sure to clear its cache before you restart sssd.

rm -f /var/lib/sss/db/*

When using realm join to join a new computer to the domain, include the command line option --automatic-id-mapping=no.

Related Solutions

Centos – Winbind Centos wrong UID/GID

The problem you have is using rid idmap.
This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts.

What you need is the ads idmap, however, this means that the id's need to exist in AD and ldap.
If you are only concerned about accessing the UNIX groups and basic attributes and not all the AD groups then winbind is not necessary.
Configure kerberos populating /etc/krb5.conf and have an smb.conf similar to the following:

[global] workgroup = ADIRE client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = adire.XXX.XX.uk realm = ADIRE.XXX.XXX.UK security = ads client ldap sasl wrapping = sign

To make this easier, you could let sssd control it all, but get this working first!

A good general idea of what options you have is HERE.

To configure a CentOS host to use AD authentication with LDAP attributes, you can use the following authconfig command (substitute the domain details):

authconfig  --update --disableldap --ldapbasedn="dc=adire,dc=domain,dc=co,dc=uk" --ldapserver="ldap://ad1.adire.domain.co.uk:ldap://ad2.adire.domain.co.uk" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=ADIRE.DOMAIN.CO.UK --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=ADIRE.DOMAIN.CO.UK --smbservers="ad1.adire.domain.co.uk ad2.adire.domain.co.uk" --smbworkgroup=ADIRE --smbsecurity=ads

Then join the host to the domain and create a kerberos /etc/krb5.keytab file:

net ads join createupn=host/`hostname -f`@ADIRE.DOMAIN.CO.UK -U priviledged_user
kinit @ADIRE.DOMAIN.CO.UK
net ads keytab create
net ads keytab add host/`hostname -f`@ADIRE.DOMAIN.CO.UK

This will enable sssd which you can have all the mapping in (/etc/sssd/sssd.conf):

[sssd]
 config_file_version = 2
 domains = adire.domain.co.uk
 services = nss, pam
 debug_level = 0

[nss]

[pam]

[domain/adire.domain.co.uk]
 debug_level = 5
 cache_credentials = false
 enumerate = false
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 ldap_sasl_mech = GSSAPI
 ldap_sasl_authid = host/servername.domain.co.uk@ADIRE.DOMAIN.CO.UK
 ldap_sasl_canonicalize = false

 ldap_user_search_base = OU=User Accounts,DC=adire,DC=domain,DC=co,DC=uk
 ldap_user_object_class = user
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_name = sAMAccountName
 ldap_user_shell = loginShell

 ldap_group_name = msSFU30Name
 ldap_group_object_class = group
 ldap_group_search_base = OU=Groups,DC=adire,DC=domain,DC=co,DC=uk

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true
 ldap_disable_referrals = true
 ldap_id_mapping = false
 ldap_schema = rfc2307bis

 krb5_realm = ADIRE.DOMAIN.CO.UK
 krb5_canonicalize = false
 krb5_server = adire.domain.co.uk

Ensure the sssd is set to start at boot and is restarted after running the authconfig command and joining the domain.

Linux – vsFTPd authenticating with SSSD

I first checked the shell settings and added the following line to my /etc/sss/sssd.conf:

[domain/example.org]
override_shell = /sbin/rbash

but this didn't solve the problem.

After commenting out the line

account  [default=bad success=ok user_unknown=ignore]  pam_sss.so

in /etc/pam.d/common-auth active directory users can login with their AD account.

But this setting affects more login services than just vsftpd. So I removed the comment from that line (going back to the original version) and changed vsftpd'd pam configuration instead:

/etc/pam.d/vsftpd:

# Standard behaviour for ftpd(8).
auth  required   pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes

##@include common-account
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so 
account requisite      pam_deny.so
account required       pam_permit.so
account sufficient     pam_localuser.so 

@include common-session
@include common-auth
auth    required       pam_shells.so

Best Answer

Related Solutions

Centos – Winbind Centos wrong UID/GID

Linux – vsFTPd authenticating with SSSD

Related Topic