8

I want to make an CentOS 7 installation with LDAP authentication, so I installed authconfig-gtk, sssd and krb5-workstation.

When I tried to start the service, I've got a message telling me that there is no config file under /etc/sssd/.

I did some research via Google and one solution I've found was to copy the file from /usr/share/doc/sssd-common-1.14.0/sssd.conf to /etc/sssd/.

Then I found in the log file that the service couldn't start because of missing read permission. So I changed permission to 770. Still the service couldn't start.

Lookig for any help for this problem or how to install sssd with config file using yum.

U880D
  • 1,120
  • 10
  • 24
0xh3xa
  • 311
  • 1
  • 6
  • 16

2 Answers2

6

Try 

chmod 600 /etc/sssd/sssd.conf (path to sssd.conf)

and then restart sssd service (service sssd restart)

sssd.conf should be run by root user with 0600 permission only. i.e

your sssd.conf file should look like below 

root@proxy:/# ls -l /etc/sssd/sssd.conf
-rw------- 1 root root 292 Mar 28 12:59 /etc/sssd/sssd.conf

not with 770 permission

root@proxy:/# ls -l /etc/sssd/sssd.conf
-rwxrwx--- 1 root root 292 Mar 28 12:59 /etc/sssd/sssd.con

Here is error in my ubuntu /var/log/syslog when sssd.conf dont have 600 permission.

Apr  1 14:24:27 proxy sssd: Cannot read config file /etc/sssd/sssd.conf. Please check if permissions are 0600 and the file is owned by root.root
Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Rahul_Dange
  • 270
  • 3
  • 14
3

The /etc/sssd/sssd.conf file is generated via authconfig or authconfig-gtk when you enable a user information source and an authentication source.

Generate sssd.conf

To generate a sssd.conf file:

Authconfig

  • LDAP user info and LDAP authentication:

    authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --ldapbasedn=dc=example,dc=com --enableldapstarttls --enablemkhomedir --update

  • LDAP user info and kerberos authentication:

    authconfig --enableldap --enablekrb5 --ldapserver=ldap.example.com --ldapbasedn=dc=example,dc=com --enableldapstarttls --enablemkhomedir --krb5realm=EXAMPLE.COM --krb5kdc=ldap.example.com --krb5adminserver=ldap.example.com --update

Authconfig-gtk (GUI)

  • Applications > Sundry > Authentication
  • Identity & Authentication tab
    • User Account Database: LDAP (or FreeIPA)
    • LDAP Search Base DN: dc=example,dc=com
    • LDAP Server: ldap.example.com
    • Authentication Method: LDAP Password (or Kerberos password)
      • If Kerberos password, fill out:
      • Realm: EXAMPLE.COM (yes, all caps)
      • KDCs: ldap.example.com
      • Admin Servers: ldap.example.com

More Details

Conditions for sssd to be used (source: man authconfig):

"The SSSD service is enabled and possibly started by authconfig when at least two of the following three conditions are met:

  1. /etc/sssd/sssd.conf file exists (or is configured via the implicit SSSD support)
  2. SSSD authentication is enabled (pam_sss.so is used in PAM configuration)
  3. SSSD is enabled for user identity (nsswitch.conf contains sss)"


SSSD will be used when it is installed and it satisfies the above via these commands.

This config option triggers /etc/nsswitch.conf updates:

  • enableldap

These config options trigger PAM configuration updates (/etc/pam.d/system-auth):

  • enableldapauth
  • enablekrb5
dozor
  • 46
  • 3