How to configure Active directory authentication using SSSD on flex appliance master server instance
Description
How to Configure Active directory authentication using SSSD on flex appliance master server instance.
1. The Active Directory must be reachable from the flex master server instance network. Update the flex appliance instance network settings if needed. Do not modify resolv.conf directly and use flex UI to update network settings such as domain details. You may need to open ports 139 and 445 Windows Active Directory for RPC protocol communication between flex and AD network.
2. Login to flex appliance master server instance through ssh as appadmin, and perform the following.
$ sudo bash
# realm join <Active Directory domain name> -v -U <domainadminacount>
Enter the <domainadminaccount> password when prompted.
Once successful joined to AD, you will get message saying “Successfully enrolled machine in realm”
# realm list ( To verify AD domain details)
3. Edit the /etc/sssd/sssd.conf file and ADD the directive 'enumerate = True' to the stanza with the '[domain/<theirADdomain>]'
4. Clear the sssd cache:
# sss_cache -E
5. Restart sssd
# systemctl stop sssd
# systemctl status sssd
# systemctl start sssd
6. Test AD responsiveness. The 'enumeration' directive is expensive in terms of resources, asking AD to return every user in every group in the AD hierarchy. Some customers may have larger AD environments than are viable for flex and their authentication will timeout or fail. If this is the case we need to restrict the search criteria for sssd in the /etc/sssd/sssd.conf file to search only a subset of the AD hierarchy. For example, edit /etc/sssd/sssd.conf and under the same stanza as the 'enumerate =True', add the following (changed to match what customer's AD looks like):
ldap_user_search_base = OU=User Accounts,OU=Accounts,DC=corp,DC=somecompany,DC=com
ldap_group_search_base = CN=somegroup,OU=anothergroup,OU=maybeanothergroup,DC=corp,DC=so0mecompany,DC=com
If this is done, sssd must be restarted.
7. Login to Flex master master server instance web UI using appadmin user
8. Configure RBAC from NetBackup web UI and provide role for the AD user or group. Please refer to the Netbackup RBAC documentation for the details.
9. Test login to NBU Java console and NBU Web console using credentials in the form of 'user@somecompany.com' For NBU Java console, updates to /usr/openv/java/auth.conf to include 'user@somecompany.com' is still required.
10. Changes to /etc/sssd/sssd.conf and /usr/openv/java/auth.conf DO PERSIST after container restarts.
Example Procedure:
[appadmin@cft-master2 ~]$ # sudo realm join ros2100.veritas.com -v
[enter the appadmin password]
* Resolving: _ldap._tcp.ros2100.veritas.com
* Performing LDAP DSE lookup on: 10.80.251.151
* Performing LDAP DSE lookup on: 10.80.251.150
* Successfully discovered: ros2100.veritas.com
Password for Administrator:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WDRW1Z -U Administrator ads join ros2100.veritas.com
Enter Administrator's password:
Using short domain name -- ROS2100
Joined 'STEST220' to dns domain 'ros2100.veritas.com'
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WDRW1Z -U Administrator ads keytab create
Enter Administrator's password:
* /usr/bin/systemctl enable sssd.service
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service &&
/usr/bin/systemctl start oddjobd.service
* Successfully enrolled machine in realm
[appadmin@cft-master2 ~]$ realm list
ros2100.veritas.com
type: kerberos
realm-name: ROS2100.VERITAS.COM
domain-name: ros2100.veritas.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@ros2100.veritas.com
login-policy: allow-realm-logins
# vi /etc/sssd/sssd.conf
(add enumerate = True and possibly search_base directives to [domain/ros2100.veritas.com] stanza
# sss_cache -E
# systemctl stop sssd
# systemctl start sssd
Additional info:
Troubleshooting:
You may face below issue due to the firewall between Active directory and flex appliance network.
It needs communication open on port 139 and 445 for RPC protocol communication.
bash-4.2# realm join ros2100.veritas.com -v
* Resolving: _ldap._tcp.ros2100.veritas.com
* Performing LDAP DSE lookup on: 10.80.251.150
* Performing LDAP DSE lookup on: 10.80.251.151
* Successfully discovered: ros2100.veritas.com
Password for Administrator:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.IPRQ1Z -U Administrator ads join ros2100.veritas.com
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain 'ros2100.veritas.com' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
! Joining the domain ros2100.veritas.com failed
realm: Couldn't join realm: Joining the domain ros2100.veritas.com failed
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.