Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > Dell PowerScale: Integrating OneFS with Kerberos Environment for Protocols > Kerberize CentOS 7 with Active Directory
There are different methods to integrate Linux systems with AD environment, for example, when using native LDAP and Kerberos PAM and NSS modules, Samba Winbind, or SSSD. In this sample, we use SSSD as the component to Kerberize CentOS 7 with AD. In the following steps, we use CentOS 7.5 and Windows 2016 Active Directory.
# yum install sssd
All supported providers’ packages for AD, LDAP, and Kerberos will also be installed. Using Active Directory as a provider for SSSD is a complex task: there are many different configuration parameters for each underlying service (NSS, PAM, Kerberos) and for SSSD itself. Thus, we use the realmd system in Step 4 to simplify the task.
# yum install realmd samba-common-tools
# yum install krb5-workstation
# realm join example.com -U administrator --automatic-id-mapping=no
The realmd system provides a clear and simple method to discover and join domains to achieve AD integration. It configures underlying Linux system services automatically to connect to the domain, such as some of the key configuration files:
/etc/sssd/sssd.conf, /etc/nsswitch, /etc/pam.d/system-auth, /etc/krb5.conf, /etc/krb5.keytab.
By default, SSSD maps Windows SIDs to UIDs/GIDs in a local system. The mapping information is valid only on the local system. Thus, use consistent domain users UIDs/GIDs across the OneFS cluster and all NFS clients. It is recommended to use the realm utility to disable ID mapping in SSSD with the --automaticid-mapping=no option. This option configures SSSD to use POSIX attributes (RFC2307) defined in AD. If a client already joins a domain without disabling ID mapping, an alternative method is to add the ldap_id_mapping=False setting in the SSSD configuration file /etc/sssd/sssd.conf.
# id user01@EXAMPLE.COM uid=10001 (user01@example.com) gid=10000 (domain users@example.com) groups=10000 (domain users@example.com), 10001 (linuxusers@example.com)
Use the kinit command to request a Kerberos ticket from AD for an AD user, then check the ticket using the klist command.
# kinit user01@EXAMPLE.COM
Password for user01@EXAMPLE.COM:
# klist
Ticket cache: KEYRING:persistent:0:0 Default principal: user01@EXAMPLE.COM
Valid starting Expires Service principal
26/02/19 02:53:29 26/02/19 12:53:29 krbtgt/EXAMPLE.COME@EXAMPLE.COM renew until 05/03/19 02:53:24
Add the NFSv4 domain setting: Domain=example.com
Add SSSD as the method of NFSv4 user ID <=> Name mapper: Method=nsswitch,sss
Start the rpcidmapd service using systemctl start rpcidmapd
# modprobe auth_rpcgss
# modprobe rpcsec_gss_krb5
# depmod –a
# systemctl restart rpcgssd.
# sudo mount -t nfs -vo nfsvers=4.0,sec=krb5 sc01.example.com:/ifs/nfs mnt/nfs
sc01.example.local:/ifs/nfs /mnt/nfs nfs4 rw,vers=4.0,sec=krb5 0 0
You can view the NFS ticket using the klist command. This NFS ticket indicates that the NFS client has connected to the OneFS cluster NFS service through SmartConnect name sc01.example.com with user account user01@EXAMPLE.COM.
# klist
Ticket cache: KEYRING:persistent:10001:krb_ccache_Ew4cwW9
Default principal: user01@EXAMPLE.COM
Valid starting Expires Service principal
26/02/19 03:26:34 26/02/19 13:24:18 nfs/sc01.example.com@EXAMPLE.COM
renew until 05/03/19 03:24:18
26/02/19 03:24:18 26/02/19 13:24:18 krbtgt/EXAMPLE.COME@EXAMPLE.COM
renew until 05/03/19 03:24:18