Debian: System Security Services Daemon (SSSD) and Active Directory

SSSD Logo

The System Security Services Daemon is software originally developed for the Linux operating system that provides a set of daemons to manage access to remote directory services and authentication mechanisms. The beginnings of SSSD lie in the open-source software project FreeIPA

 Step 1: Install Packages

The following packages are required for SSSD setup and integration with Active Directory

# apt install sssd realmd adcliCode language: PHP (php)

Step 2: Kerberos

Make sure that kerberos is properly configured on the system /etc/krb5.conf

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
allow_weak_crypto = false
default_keytab_name = FILE:/etc/krb5.keytab
proxiable = false
udp_preference_limit = 1465

[realms]
OPS.CYBERFRONT.ORG = {
    kdc = dc-01.domain.com
    kdc = dc-02.domain.com
    kdc = dc-03.domain.com
    admin_server = dc-01.domain.com
}

[domain_realm]
    .domain.com = DOMAIN.COM
    domain.com = DOMAIN.COMCode language: JavaScript (javascript)

Step 3: Join Realm

Test the realm to join

# sudo realm discover mydomain.org
mydomain.org
type: kerberos
realm-name: MYDOMAIN.ORG
domain-name: mydomain.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins

# sudo realm join <realm-domain> -U <user>Code language: CSS (css)

Join the realm

# realm join <realm-domain> -U <user>Code language: HTML, XML (xml)

Step 4: SSSD configuration

Make sure that samba is properly configured on the system /etc/sssd/sssd.conf

[sssd]
domains = domain.com

[domain/domain.com]
default_shell = /bin/bash
krb5_store_password_if_offline = true
cache_credentials = true
krb5_realm = OPS.CYBERFRONT.ORG
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /export/home/DOMAIN.COM/%u
ad_domain = domain.com
use_fully_qualified_names = false
ldap_id_mapping = true
ldap_idmap_autorid_compat = true
ldap_idmap_range_min = 1174405120
access_provider = ad
dyndns_update = false
dyndns_refresh_interval = 0
ad_gpo_default_right = permit
Code language: JavaScript (javascript)