{{tag>LDAP AD CA}}

= Notes sssd

Voir :
 * adcli - Tool for performing actions on an Active Directory domain
 * [[connexion_ad_active_directory_ldap]]
 * L2ARC, ZIL et SLOG

Voir aussi :
 * Winbind


== sssd vs winbind

Voir :
* https://www.redhat.com/en/blog/sssd-vs-winbind
* https://www.redhat.com/en/blog/overview-direct-integration-options

== Prerequisites for AD to Support SSSD ID Mapping

No configuration should be necessary, if the following things are properly configured.

  * A DNS SRV record exists for “_ldap._tcp.ad.example.com”.
  * A DNS SRV record exists for “_ldap._tcp.dc._msdcs.ad.example.com”.

Open the following ports :
  * 53 (DNS) TCP and UDP
  * 389 (LDAP) TCP and UDP
  * 88 (Kerberos) TCP and UDP
  * 464 (Kerberos password changes) TCP and UDP
  * 3268 (LDAP global catalog) TCP
  * 123 (NTP) UDP

Source : https://paulgorman.org/technical/linux-active-directory-auth.txt.html

Disable ID Mapping

''/etc/sssd/sssd.conf''
<code ini>
ldap_id_mapping = false
</code>


== Conf


<code ->
# Important. Impact les performances
enumerate = false

cache_credentials = True
# How long should we allow cached logins (in days since the last successful online login). 0 for no limit
# offline_creditinals_expiration=0

default_shell=/bin/bash

# ad_gpo_access_control = enforcing # Défaut RHEL8
# ad_gpo_access_control = permissive
# Ne pas bloquer l’authentification si les GPO ne sont pas accessible (si permissive ou disabled)
ad_gpo_access_control =  disabled

# dyndns_update = false

ldap_referrals = false

</code>




== Pb connexion sssd

<code bash>
systemctl restart sssd
</code>

<code bash>
tail /var/log/secure
sssctl config-check
systemctl stop sssd

ps -ef |grep sssd
killall sssd

rm /var/lib/sss/db/*
systemctl start sssd
getend password plop
</code>

Del cache
<code bash>
sss_cache -E
</code>



== Autres

<code bash>
rm -rf /etc/authselect/custom/activedirectory-ACME.LOCAL/
authselect create-profile activedirectory-ACME.LOCAL -b sssd
authselect select custom/activedirectory-ACME.LOCAL with-pamaccess with-mkhomedir --force
</code>

la configuration présente dans ''/etc/authselect/user-nsswitch.conf''

<code bash>
grep passwd /etc/authselect/custom/activedirectory-ACME.LOCAL/nsswitch.conf |grep -q with-files-domain && echo "profil OK" || echo "profil KO"

egrep "^passwd:" /etc/nsswitch.conf|grep -q "files sss" && echo "conf OK" || echo "conf KO"
</code>