nethserver-sssd¶
This package implements authentication and user management layers. Supported authentication providers are:
- OpenLDAP with POSIX attributes
- Samba or Windows Active Directory
It includes the following parts:
- SSSD configuration
- events for users and groups management
- web interface for user management
- password policy management
- system validators for users and groups
- SSSD perl library to ease the implementation of e-smith templates
The implementation can work in two modes:
- read-and-write: if nethserver-dc or nethserver-directory are installed, the system will provide all user management features like creation, modification and deletion of users and groups
- read-only: if users and groups are read from a remote source, the system will be able to consume them only using passwd database
Configuration DB format¶
sssd=service
AdDns=192.168.1.12
BindDN=ldapservice@AD.EXAMPLE.COM
BindPassword=cjnsdkuyf8934tjhvsdkljcvsdv
LdapURI=
Provider=ad
Realm=AD.EXAMPLE.COM
Workgroup=EXAMPLE
DiscoverDcType=dns
ShellOverrideStatus=disabled
status=enabled
AdDns
: IP address of the Active Directory DNS serverLdapURI
: LDAP server URI (useldap://
orldaps://
scheme)DiscoverDcType {dns,ldapuri}
:dns
query SRV records in AD DNS to find the DC name;ldapuri
retrieve the DC name from theLdapURI
prop valueShellOverrideStatus
(defaultdisabled
) Ifenabled
, the value of the passwd user’s shell field- is set to
/bin/bash
and is no more read from the accounts provider. The eventnethserver-sssd-save
will expand and restart all services which use this property
Realm and workgroup¶
When the system is configured to use an Active Directory provider (Provider=ad
),
make sure to correctly set both Realm
and Workgroup
properties:
- Realm: this is the Kerberos realm and it’s case sensitive, but it’s usually configured in upper case as best practice. When the realm is used for DNS queries, it’s automatically forced to lower case.
- Workgroup: Samba NetBIOS name, maximum length is 15 characters. It’s usually the first part of the Realm in upper case
Events¶
Defined events are:
user-create¶
The event creates the user record inside the account provider database.
Parameters:
- username: must be unique
- name: full name of the user
- shell: default to /usr/libexec/openssh/sftp-server, if set to /bin/bash the user will be able to access the server using SSH
user-modify¶
The event changes the full name inside the account provider databases
Parameters:
- username
- name: full name of the user
- shell: default to /usr/libexec/openssh/sftp-server, if set to /bin/bash the user will be able to access the server using SSH
Note: shell option can’t be changed for AD users
user-cleanup¶
This event deletes all data (home directory) and the emails of the user (given as parameter) if the email server is installed. This event is bind to the event user-delete. Every application which needs to remove the data of a user, must use this event to trigger a specific action, made to remove the data.
Parameters:
- username
user-lock¶
The event locks the user preventing the access. All new users are in locked state.
Parameters:
- username
user-unlock¶
The event unlocks the user preventing the access. This event should be called after the invoking password-modify event for the user.
Parameters:
- username
group-create¶
The event creates the group record inside the account provider database.
Parameters:
- groupname: must be unique
- members: a list of users member of this group
group-modify¶
The event changes the members of a group inside the account provider database.
Parameters:
- groupname: must be unique
- members: a list of users member of this group
group-delete¶
This event deletes a group record from the the account provider database.
Parameters:
- groupname
password-policy-update¶
This event configures password expiration of a single user or of all users.
Parameters
username (optional)
passexpires: it can be yes or no. If user is set and value is yes, the user password will expires after a predefined number of days (see passwordstrength{MaxPassAge})
The duration of a password can be passwordstrength{MaxPassAge}
nethserver-sssd-remove-provider¶
This event removes any installed local account provider and also wipes the configuration of any remote account provider.
Before resetting the configuration, all accounts are dumped inside the following files in tsv format:
- /var/lib/nethserver/backup/users.tsv
- /var/lib/nethserver/backup/accounts.tsv
System users and groups¶
SSSD can access all users and groups from an account provider, but the Server Manager hides system users and groups.
The following users will not be accessible from the Server Manager:
- all users listed inside /etc/nethserver/system-users
- all users in /etc/passwd
The following groups will not be accessible from the web interface:
- all groups listed inside /etc/nethserver/system-groups
- all groups in /etc/group
The users and groups lists are retrieved by the following UI helpers:
/usr/libexec/nethserver/list-users
/usr/libexec/nethserver/list-groups
The number of entries returned by the server is limited. For instance, AD has a 1000 entries search results cap.
To retrieve the members of a group and the membership of a specific user:
/usr/libexec/nethserver/list-group-members
/usr/libexec/nethserver/list-user-membership
The Dashboard account counters are provided by:
/usr/libexec/nethserver/count-accounts
All those helpers support the -A
flag, to include hidden entries,
and the -s
flag to return entries without @domain
suffix.
AD LDAP search¶
The Samba net ads search -k
command can run an LDAP search against the AD
LDAP servers. The command requires a valid Kerberos ticket and a configured
environment variable, KRB5CCNAME
, pointing to it.
The krb5exec
command can set up the Kerberos ticket by authenticating with
the machine credentials, providing the same environment where the UI helpers
run, as explained in the previous section.
Putting the two commands together, the following command retrieves the admin
account record from AD LDAP.
krb5exec net ads search -k sAMAccountName=admin
The same command with ldapsearch
krb5exec ldapsearch -Y GSSAPI -b <BIND_PATH> -h <LDAP_SERVER_NAME> sAMAccountName=admin
Replace <BIND_PATH>
and <LDAP_SERVER_NAME>
with values provided by
net ads info
NethServer::SSSD¶
NethServer::SSSD is the Perl library module to retrieve current LDAP configuration. It supports both Active Directory and OpenLDAP providers.
Template example:
{
use NethServer::SSSD;
my $sssd = NethServer::SSSD->new();
$OUT .= "{ldap_uri, [".$sssd->ldapURI()."]}\n";
if ($sssd->isAD()) {
$OUT .= "{ldap_uids, [\"sAMAccountName\"]}.\n";
}
}
All functions are documented using perldoc
perldoc NethServer::SSSD
This command prints out the current settings, by querying NethServer::SSSD
methods. It requires the package openldap-clients
/usr/sbin/account-provider-test dump
Check the bind credentials are OK
/usr/sbin/account-provider-test
Join Active Directory¶
The Active Directory join operation is run by realmd. After the AD has been joined sucessfully the system keytab file is initialized as long as individual service keytabs, as defined on the respective service record (see `Service configuration hooks`_).
Leave and Re-Join Active Directory¶
To leave a remote AD go to the Accounts provider page.
For local AD provider, this is the manual leave procedure
realm leave
realm leave # two times
If the machine password or system keytab get corrupted, joining again the DC can fix them:
realm join -U admin $(config getprop sssd Realm)
…at prompt, type the admin’s password, then:
signal-event nethserver-sssd-save
If you leave and do not want to re-join, disable the sssd service permanently:
config setprop sssd status disabled Provider none
signal-event nethserver-sssd-save
signal-event nethserver-sssd-leave
signal-event nethserver-dnsmasq-save
Change the FQDN¶
Once we are bound to an account provider the FQDN cannot be changed any more. However, this procedure can be useful in early server configuration to fix a wrong FQDN. Please note that any existing account setting must be fixed manually. The procedure to do it is currently undefined.
For local account providers:
- Execute the leave procedure explained above
- Go to page System name and change the domain suffix in the FQDN field.
- Re-join as explained above
For remote account providers the procedure is similar. Use the Accounts provider page to leave/join the domain.
Service configuration hooks for Kerberos/GSSAPI authentication¶
A service (i.e. dovecot, squid) record in the configuration
DB can be extended with
the following special props, that are read by smbads
to create a Kerberos keytab file
for the service
dovecot=service
...
KrbStatus=enabled
KrbKeytabPath=/var/lib/dovecot/krb5.keytab
KrbPrimaryList=smtp,imap,pop
KrbKeytabOwner=
KrbKeytabPerms=
KrbStatus {enabled,disabled}
This is the main switch. If not set toenabled
,smbads
ignores the record when the service keytab is written.KrbKeytabPath
Keytab file path. If empty,/var/lib/misc/nsrv-<service>.keytab
is assumedKrbPrimaryList <comma separated words list>
Defines the keytab contents. In Kerberos jargon a “primary” is the first part of the principal string, before the slash (/
) character. Any primary in this list is exported to the keytab.KrbKeytabOwner
The unix file owner. Default is theservice
name. This is applied to both the credentials cache file and the keytab file.KrbKeytabPerms
The unix bit permissions in octal form. Default is0400
. This is applied to both the credentials cache file and the keytab file.
The implementation is provided by /usr/libexec/nethserver/smbads
.
Individual services can link themselves to nethserver-sssd-initkeytabs
action in the respective -update
event.
It is up to the KDC administrator to configure the SPN in the KDC. For instance, with Active Directory run the following commands to add the SPNs for Dovecot:
kinit admin@$(config getprop sssd Realm)
net ads setspn list
net ads setspn add $(hostname -s) imap/$(hostname)
net ads setspn add $(hostname -s) pop/$(hostname)
net ads setspn add $(hostname -s) smtp/$(hostname)
kdestroy
signal-event nethserver-sssd-save
Account import scripts¶
There are some perl scripts under the documentation scripts/
directory.
rpm -qd nethserver-sssd
import_users¶
It is possible to create user accounts from a TSV (Tab Separated Values) file with the following format:
username <TAB> fullName <TAB> password <NEWLINE>
Sample invocation:
import_users users.tsv
Alternative separator character:
import_users users.csv ','
import_groups¶
It is possible to create groups from a TSV (Tab Separated Values) file with the following format:
groupname <TAB> member1 <TAB> ... <TAB> memberN <NEWLINE>
Sample invocation:
import_users groups.tsv
Alternative separator character:
import_groups groups.csv ','
import_emails¶
It is possible to create mail aliases from a TSV (Tab Separated Values) file with the following format:
username <TAB> emailaddress <NEWLINE>
See import_users
section for a sample script invocation.
Password policy¶
The system can handle global or per-user policies. All policies are enforced by
PAM and saved under passwordstrength
inside the configuration
database.
Available properties are:
Users
: change strength password for all users, can be:strong
: (default) strong passwords must conform to cracklib checksnone
: no strength check
PassExpires
: can beyes
(default) orno
. If set tono
password will not expire, if set toyes
,following properties apply:
MaxPassAge
: minimum number of days for which the user is forced to keep the same password (default 0)MinPassAge
: maximum number of days for which the user can keep the same password (default: 180)PassWarning
: a shell warning is displayed to the user X days before password expiration
Configuration can be applied using the password-policy-update event.
DB example:
passwordstrength=configuration
MaxPassAge=180
MinPassAge=0
PassExpires=no
PassWarning=7
Users=none