The System Security Services Daemon is software originally developed for the Linux operating system that provides a set of daemons to manage access to remote directory services and authentication mechanisms. The beginnings of SSSD lie in the open-source software project FreeIPA
Step 1: Install Packages
The following packages are required for SSSD setup and integration with Active Directory
# apt install sssd realmd adcli
Step 2: Kerberos
Make sure that kerberos is properly configured on the system /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
[realms]
OPS.CYBERFRONT.ORG = {
kdc = dc-01.mydomain.org:88
kdc = dc-02.mydomain.org:88
admin_server = dc-01.mydomain.org:749
default_domain = mydomain.org
}
[domain_realm]
.mydomain.org = MYDOMAIN.ORG
mydomain.org = MYDOMAIN.ORG
Step 3: Samba configuration
Make sure that samba is properly configured on the system /etc/samba/smb.conf
[global] workgroup = MYDOMAIN realm = MYDOMAIN.ORG client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = mydomain.org security = ads
Step 4: Join Realm
Test the realm to join
# sudo realm discover mydomain.org mydomain.org type: kerberos realm-name: MYDOMAIN.ORG domain-name: mydomain.org configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins # sudo realm join <realm-domain> -U <user>
Join the realm
# realm join <realm-domain> -U <user>
Step 5: SSSD configuration
Make sure that samba is properly configured on the system /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = mydomain.org debug_level = 0 default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = MYDOMAIN.ORG realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /export/home/MYDOMAIN.ORG/%u ad_domain = ops.cyberfront.org use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad ldap_idmap_autorid_compat = true ldap_idmap_range_min = 1174405120