When Linux clients are getting authenticated from AD SSSD daemon configuration file need following parameters in the [AD/Linux.domain] section. Other than the default parameters.
The colored entries actually fine tune the login time and the login process is delegated fast.
ad_enable_gc = False
krb5_canonicalize = false
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
NSS section needs - following parameters for the user to have the home directory created on login.
OR
ipa-client-install --enable-dns-updates --mkhomedir --domain linux-domain
OR
yum install oddjob oddjob-mkhomedir
authconfig --enablemkhomedir --update
[nss]
homedir_substring = /home/%u
default_shell = /bin/bash
# Homedir
override_homedir = /home/%u
Uninstall the ipa client:
ipa-client-install --enable-dns-updates --uninstall
Note: Same settings work for CentOS7
Note: In case of old cache is causing issues - need to clean the cache database and restart the SSSD daemon.
systemctl stop sssd ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; systemctl start sssd
Happy Linux!
No comments:
Post a Comment