Ubuntu Server Guide
Prerequisites, Assumptions, and Requirements
Download 1.23 Mb. Pdf ko'rish
|
ubuntu-server-guide (1)
- Bu sahifa navigatsiya:
- Software Installation
- SSSD Configuration
|
Prerequisites, Assumptions, and Requirements
For this setup, we will need: • an existing OpenLDAP server using the RFC2307 schema for users and groups. SSL support is rec- ommended, but not strictly necessary because authentication in this setup is being done via Kerberos, and not LDAP. • a Kerberos server. It doesn’t have to be using the OpenLDAP backend • a client host where we will install and configure SSSD Software Installation On the client host, install the following packages: sudo apt i n s t a l l s s s d −l d a p s s s d −krb5 ldap−u t i l s krb5−u s e r You may be asked about the default Kerberos realm. For this guide, we are using EXAMPLE.COM. At this point, you should alreaedy be able to obtain tickets from your Kerberos server, assuming DNS records point at it like explained elsewhere in this guide: $ k i n i t ubuntu Password f o r ubuntu@EXAMPLE .COM: ubuntu@ldap−krb−c l i e n t : ~ $ k l i s t T i c k e t c a c h e : FILE : / tmp/ krb5cc_1000 D e f a u l t p r i n c i p a l : ubuntu@EXAMPLE .COM 232 V a l i d s t a r t i n g E x p i r e s S e r v i c e p r i n c i p a l 04/17/20 1 9 : 5 1 : 0 6 04/18/20 0 5 : 5 1 : 0 6 k r b t g t /EXAMPLE.COM@EXAMPLE.COM renew u n t i l 04/18/20 1 9 : 5 1 : 0 5 But we want to be able to login as an LDAP user, authenticated via Kerberos. Let’s continue with the configuration. SSSD Configuration Create the /etc/sssd/sssd.conf configuration file, with permissions 0600 and ownership root:root, and this content: [ s s s d ] c o n f i g _ f i l e _ v e r s i o n = 2 domains = example . com [ domain / example . com ] i d _ p r o v i d e r = l d a p l d a p _ u r i = l d a p : / / l d a p 0 1 . example . com ldap_search_base = dc=example , dc=com auth_p rovi der = krb5 k r b 5 _ s e r v e r = kdc01 . example . com , kdc02 . example . com krb5_kpasswd = kdc01 . example . com krb5_realm = EXAMPLE.COM c a c h e _ c r e d e n t i a l s = True This example uses two KDCs, which made it necessary to also specify the krb5_kpasswd server because the second KDC is a replica and is not running the admin server. Start the sssd service: sudo s y s t e m c t l s t a r t s s s d . s e r v i c e Download 1.23 Mb. Do'stlaringiz bilan baham: 
|