Microsoft announced in 2016 that at the end of the Life Cycle for Windows Server 2012 R2, the POSIX or Unix Attributes in Active Directory will be deleted. I contacted Microsoft and found that date is July 12, 2022, so I have 4 years to figure this out. Also, this would be a great place to bring this to light.
From Microsoft:
https://blogs.technet.microsoft.com/act ... ws-server/
Even Red Hat has a URL:
https://access.redhat.com/articles/2203991
I have two SFTP servers and a file servers using CentOS/Red Hat and they authenticate against Active Directory. We have customers that pick-up/drop-off files. I don't want to have to tell all of my customers that they need to change their passwords. I'm not opposed to setting up an openLDAP server, but that would require the customers to change their passwords after migration. Also my boss wants to keep authentication in AD.
I have been working on a VM on my laptop to try and figure out how to configure SSSD to connect to AD for authentication purposes only, and get the shell and home directory from the config files on the Linux server. I have Domain User permissions in AD and have tried playing with different settings in a test user on AD as well as the files on the Linux machine.
Here is my question, MY sftp servers will authenticate users as <loginID> and grab the POSIX values, but when I configure the user to not use the POSIX values, I can get authenticated, but I have to use <loginID>@company.local. The goal is to continue to use just <loginID> and grab the password from AD for authentication
Is there a way to do this or will my customers have to change their loginID and/password when I am forced to switch to openLDAP? I have been reading a lot and see that there are multitude of ways to accomplish connecting to AD, Just not sure which way works best for what I want.
Here is the SSSD config that allows me to use <loginID>@company.local
Code: Select all
[sssd]
domains = company.local
config_file_version = 2
services = nss, pam
[domain/company.local]
ad_server = ad.company.local
ad_domain = company.local
krb5_realm = COMPANY.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = simple
ldap_schema = ad
krb5_store_password_if_offline = True
default_domain_suffix = company.local
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = True
fallback_homedir = /home/%u
override_space = _
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
Code: Select all
[sssd]
config_file_version = 2
domains = company.local
services = nss, pam
debug_level = 9
[nss]
[pam]
[domain/company.local]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
#ldap_sasl_mech = GSSAPI
ldap_default_bind_dn = CN=<cn>,OU=<ou>,OU=<ou>,DC=company,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = <password>
ldap_schema = rfc2307bis
ldap_user_search_base = ou=<ou>,dc=company,dc=local
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = sAMAccountName
ldap_group_search_base = ou=<ou>,ou=<ou>,dc=company,dc=local
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_realm = COMPANY.LOCAL