12

I have successfully configured sssd and can ssh into a system with AD credentials what I am missing is the creation of a home directory and bash set as the shell.

My assumption is that if I log on to a system that does not already have a local linux account but which does have a valid AD account that a home directory is created the first time that user logs in and the appropriate shells is set as defined in /etc/sssd/sssd.conf:

override_homedir = /home/%u
default_shell = /bin/bash

I have also run

authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

What am I missing or am I making an incorrect assumption about my existing configuration?

I want to avoid using the deprecated Identity Management for Unix feature of Windows.

Belmin Fernandez
  • 11,039
  • 28
  • 89
  • 150
grahamjgreen
  • 1,021

4 Answers4

7

This issue was solved by moving the entries

override_homedir = /home/%u
default_shell = /bin/bash

from the [sssd] section of sssd.conf to [domain/lab.local]

grahamjgreen
  • 1,021
2

There are two parts of the equation. One is in SSSD and the Name Service Switch interface in particular. That part reports what the home directory is on the system and you can test it with "getent passwd $username". As long as that command gives you accurate answers, then SSSD is working as it should.

The other part is creating the home directories actually. I would recommend to use oddjob and pam_oddjob_mkhomedir there over old pam_mkhomedir. In my experience, it plays better with SELinux.

Look into /var/log/secure for error messages from the PAM modules..

jhrozek
  • 1,410
1

Please see this post first: Common wisdom about Active Directory authentication for Linux Servers?

For RHEL/CentOS 6.x systems, I do:

  • Authconfig with the right initial SSSD settings.
  • Modify sssd.conf to taste.
  • Modify and configure oddjobd.

For authconfig, something like:

authconfig --enablesssd --ldapserver=ldap://dc1.ad.blahblah.com --ldapbasedn="dc=ad,dc=blahblah,dc=com" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.ad.blahblah.com --krb5realm=AD.BLAHBLAH.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall

  • My simple sssd.conf would look like this: http://pastebin.com/Aa2XsYhh - Restart the sssd service after modifying the configuration.

  • I then install oddjob-mkhomedir with: yum install oddjob-mkhomedir- You can tune home directory permissions to taste in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

  • Make sure the sssd and oddjob services are set to start on boot.

That should be all that's needed.

Community
  • 1
ewwhite
  • 201,205
0

It works for me on CentOS 7 when i login via SSHD. The location where the home directory created is the "session" management group that's part of PAM.

From the pam(8) manpage:

    session - this group of tasks cover things that should be done prior to a service being given and after it is
   withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory.
   The session management group is important as it provides both an opening and closing hook for modules to
   affect the services available to a user.

In /etc/pam.d/password-auth you will find this line: session optional pam_oddjob_mkhomedir.so umask=0077

which takes care of home directory creation.

Make sure you have installed and enabled the package oddjob-mkhomedir.

neuhaus
  • 241