2873N/A<?
xml version="1.0" encoding="UTF-8"?>
2873N/A<!
DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" 2873N/A<
title>SSSD Manual pages</
title>
2873N/A <
refentrytitle>sssd-ad</
refentrytitle>
2873N/A <
refmiscinfo class="manual">File Formats and Conventions</
refmiscinfo>
2873N/A <
refpurpose>SSSD Active Directory provider</
refpurpose>
2873N/A <
refsect1 id='description'>
6782N/A This manual page describes the configuration of the AD provider
2873N/A <
refentrytitle>sssd</
refentrytitle>
2873N/A For a detailed syntax reference, refer to the <
quote>FILE FORMAT</
quote> section of the
2873N/A </
citerefentry> manual page.
2873N/A The AD provider is a back end used to connect to an Active
6782N/A Directory server. This provider requires that the machine be
2899N/A joined to the AD domain and a keytab is available.
3817N/A The AD provider supports connecting to Active Directory 2008 R2
2873N/A or later. Earlier versions may work, but are unsupported.
2873N/A The AD provider can be used to get user information
2873N/A and authenticate users from trusted domains. Currently
2873N/A only trusted domains in the same forest are recognized. In
2873N/A addition servers from trusted domains are always auto-discovered.
2873N/A The AD provider accepts the same options used by the
2873N/A <
refentrytitle>sssd-ldap</
refentrytitle>
</
citerefentry> identity provider and the
<
refentrytitle>sssd-krb5</
refentrytitle>
</
citerefentry> authentication provider with some exceptions described
However, it is neither necessary nor recommended to set these
options. The AD provider can also be used as an access, chpass,
sudo and autofs provider. No configuration of the access provider
is required on the client side.
By default, the AD provider will map UID and GID values from the
objectSID parameter in Active Directory. For details on this, see
the <
quote>ID MAPPING</
quote> section below. If you want to
disable ID mapping and instead rely on POSIX attributes defined in
Active Directory, you should set
In order to retrieve users and groups using POSIX attributes from trusted
domains, the AD administrator must make sure that the POSIX attributes
are replicated to the Global Catalog.
Users, groups and other entities served by SSSD are always treated as
case-insensitive in the AD provider for compatibility with Active
Directory's LDAP implementation.
<
refsect1 id='configuration-options'>
<
title>CONFIGURATION OPTIONS</
title>
<
para>Refer to the section <
quote>DOMAIN SECTIONS</
quote> of the
</
citerefentry> manual page for details on the configuration of an SSSD domain.
<
term>ad_domain (string)</
term>
Specifies the name of the Active Directory domain.
This is optional. If not provided, the
configuration domain name is used.
For proper operation, this option should be
specified as the lower-case version of the long
version of the Active Directory domain.
The short domain name (also known as the NetBIOS
or the flat name) is autodetected by the SSSD.
<
term>ad_enabled_domains (string)</
term>
A comma-separated list of enabled Active Directory domains.
If provided, SSSD will ignore any domains not listed in this
option. If left unset, all domains from the AD forest will
For proper operation, this option must be specified in all
lower-case and as the fully qualified domain name of the
Active Directory domain. For example:
The short domain name (also known as the NetBIOS or the flat
name) will be autodetected by SSSD.
<
term>ad_server, ad_backup_server (string)</
term>
The comma-separated list of
hostnames of the AD servers to which SSSD should
connect in order of preference. For more
information on failover and server redundancy, see
the <
quote>FAILOVER</
quote> section.
This is optional if autodiscovery is enabled.
For more information on service discovery, refer
to the <
quote>SERVICE DISCOVERY</
quote> section.
Note: Trusted domains will always auto-discover
servers even if the primary server is explicitly
defined in the ad_server option.
<
term>ad_hostname (string)</
term>
Optional. May be set on machines where the
hostname(5) does not reflect the fully qualified
name used in the Active Directory domain to
This field is used to determine the host principal
in use in the keytab. It must match the hostname
for which the keytab was issued.
<
term>ad_enable_dns_sites (boolean)</
term>
Enables DNS sites - location based
If true and service discovery (see Service
Discovery paragraph at the bottom of the man page)
is enabled, the SSSD will first attempt to discover
the Active Directory server to connect to using the
Active Directory Site Discovery and fall back to
the DNS SRV records if no AD site is found. The
DNS SRV configuration, including the discovery
domain, is used during site discovery as well.
<
term>ad_access_filter (string)</
term>
This option specifies LDAP access control
filter that the user must match in order
to be allowed access. Please note that the
<
quote>access_provider</
quote> option must be
explicitly set to <
quote>ad</
quote> in order
for this option to have an effect.
The option also supports specifying different
filters per domain or forest. This
extended filter would consist of:
<
quote>KEYWORD:NAME:FILTER</
quote>.
The keyword can be either <
quote>DOM</
quote>,
<
quote>FOREST</
quote> or missing.
If the keyword equals to <
quote>DOM</
quote>
or is missing, then <
quote>NAME</
quote> specifies
the domain or subdomain the filter applies to.
If the keyword equals to <
quote>FOREST</
quote>,
then the filter equals to all domains from the
forest specified by <
quote>NAME</
quote>.
Multiple filters can be separated with the
<
quote>?</
quote> character, similarly to how
Nested group membership must be searched for using
a special OID <
quote>:1.2.840.113556.1.4.1941:</
quote>
to ensure the parser does not attempt to interpret the
colon characters associated with the OID. If you do not
use this OID then nested group membership will not be
resolved. See usage example below and refer here
for further information about the OID:
[MS-ADTS] section LDAP extensions</
ulink>
The most specific match is always used. For
example, if the option specified filter
for a domain the user is a member of and a
global filter, the per-domain filter would
be applied. If there are more matches with
the same specification, the first one is used.
# apply filter on domain called dom1 only:
dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
# apply filter on domain called dom2 only:
DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
FOREST:
EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
# apply filter for a member of a nested group in dom1:
DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
<
term>ad_site (string)</
term>
Specify AD site to which client should try to connect.
If this option is not provided, the AD site will be
<
term>ad_enable_gc (boolean)</
term>
By default, the SSSD connects to the Global
Catalog first to retrieve users from trusted
domains and uses the LDAP port to retrieve
group memberships or as a fallback. Disabling
this option makes the SSSD only connect to
the LDAP port of the current AD server.
Please note that disabling Global Catalog support
does not disable retrieving users from trusted
domains. The SSSD would connect to the LDAP port
of trusted domains instead. However, Global
Catalog must be used in order to resolve
cross-domain group memberships.
<
term>ad_gpo_access_control (string)</
term>
This option specifies the operation mode for
GPO-based access control functionality:
whether it operates in disabled mode, enforcing
mode, or permissive mode. Please note that the
<
quote>access_provider</
quote> option must be
explicitly set to <
quote>ad</
quote> in order for
this option to have an effect.
GPO-based access control functionality uses GPO
policy settings to determine whether or not a
particular user is allowed to logon to a particular
NOTE: If the operation mode is set to enforcing, it
is possible that users that were previously allowed
logon access will now be denied logon access (as
dictated by the GPO policy settings). In order to
facilitate a smooth transition for administrators,
a permissive mode is available that will not enforce
the access control rules, but will evaluate them and
will output a syslog message if access would have
been denied. By examining the logs, administrators
can then make the necessary changes before setting
There are three supported values for this option:
disabled: GPO-based access control rules
are neither evaluated nor enforced.
enforcing: GPO-based access control
rules are evaluated and enforced.
permissive: GPO-based access control
rules are evaluated, but not enforced.
Instead, a syslog message will be
emitted indicating that the user would
have been denied access if this option's
value were set to enforcing.
<
para condition="gpo_default_permissive">
<
para condition="gpo_default_enforcing">
<
term>ad_gpo_cache_timeout (integer)</
term>
The amount of time between lookups of GPO policy
files against the AD server. This will reduce the
latency and load on the AD server if there are
many access-control requests made in a short
<
term>ad_gpo_map_interactive (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access control is evaluated based on
the InteractiveLogonRight and
DenyInteractiveLogonRight policy settings.
Note: Using the Group Policy Management Editor
this value is called "Allow log on locally"
and "Deny log on locally".
It is possible to add another PAM service name
to the default set by using <
quote>+service_name</
quote>
or to explicitly remove a PAM service name from
the default set by using <
quote>-service_name</
quote>.
For example, in order to replace a default PAM service
name for this logon right (
e.g. <
quote>login</
quote>)
with a custom pam service name (
e.g. <
quote>my_pam_service</
quote>),
you would use the following configuration:
ad_gpo_map_interactive = +my_pam_service, -login
Default: the default set of PAM service names includes:
<
term>ad_gpo_map_remote_interactive (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access control is evaluated based on
the RemoteInteractiveLogonRight and
DenyRemoteInteractiveLogonRight policy settings.
Note: Using the Group Policy Management Editor this
value is called "Allow log on through Remote Desktop
Services" and "Deny log on through Remote Desktop
It is possible to add another PAM service name
to the default set by using <
quote>+service_name</
quote>
or to explicitly remove a PAM service name from
the default set by using <
quote>-service_name</
quote>.
For example, in order to replace a default PAM service
name for this logon right (
e.g. <
quote>sshd</
quote>)
with a custom pam service name (
e.g. <
quote>my_pam_service</
quote>),
you would use the following configuration:
ad_gpo_map_remote_interactive = +my_pam_service, -sshd
Default: the default set of PAM service names includes:
<
term>ad_gpo_map_network (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access control is evaluated based on
the NetworkLogonRight and DenyNetworkLogonRight
Note: Using the Group Policy Management Editor
this value is called "Access this computer
from the network" and "Deny access to this
computer from the network".
It is possible to add another PAM service name
to the default set by using <
quote>+service_name</
quote>
or to explicitly remove a PAM service name from
the default set by using <
quote>-service_name</
quote>.
For example, in order to replace a default PAM service
name for this logon right (
e.g. <
quote>ftp</
quote>)
with a custom pam service name (
e.g. <
quote>my_pam_service</
quote>),
you would use the following configuration:
ad_gpo_map_network = +my_pam_service, -ftp
Default: the default set of PAM service names includes:
<
term>ad_gpo_map_batch (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access control is evaluated based on
the BatchLogonRight and DenyBatchLogonRight
Note: Using the Group Policy Management Editor
this value is called "Allow log on as a batch
job" and "Deny log on as a batch job".
It is possible to add another PAM service name
to the default set by using <
quote>+service_name</
quote>
or to explicitly remove a PAM service name from
the default set by using <
quote>-service_name</
quote>.
For example, in order to replace a default PAM service
name for this logon right (
e.g. <
quote>crond</
quote>)
with a custom pam service name (
e.g. <
quote>my_pam_service</
quote>),
you would use the following configuration:
ad_gpo_map_batch = +my_pam_service, -crond
Default: the default set of PAM service names includes:
<
term>ad_gpo_map_service (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access control is evaluated based on
the ServiceLogonRight and DenyServiceLogonRight
Note: Using the Group Policy Management Editor
this value is called "Allow log on as a service"
and "Deny log on as a service".
It is possible to add a PAM service name to the
default set by using <
quote>+service_name</
quote>.
Since the default set is empty, it is not possible
to remove a PAM service name from the default set.
For example, in order to add a custom pam service
name (
e.g. <
quote>my_pam_service</
quote>), you
would use the following configuration:
ad_gpo_map_service = +my_pam_service
<
term>ad_gpo_map_permit (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access is always granted, regardless
It is possible to add another PAM service name
to the default set by using <
quote>+service_name</
quote>
or to explicitly remove a PAM service name from
the default set by using <
quote>-service_name</
quote>.
For example, in order to replace a default PAM service
name for unconditionally permitted access (
e.g. <
quote>sudo</
quote>)
with a custom pam service name (
e.g. <
quote>my_pam_service</
quote>),
you would use the following configuration:
ad_gpo_map_permit = +my_pam_service, -sudo
Default: the default set of PAM service names includes:
<
term>ad_gpo_map_deny (string)</
term>
A comma-separated list of PAM service names for
which GPO-based access is always denied, regardless
It is possible to add a PAM service name to the
default set by using <
quote>+service_name</
quote>.
Since the default set is empty, it is not possible
to remove a PAM service name from the default set.
For example, in order to add a custom pam service
name (
e.g. <
quote>my_pam_service</
quote>), you
would use the following configuration:
ad_gpo_map_deny = +my_pam_service
<
term>ad_gpo_default_right (string)</
term>
This option defines how access control is evaluated
for PAM service names that are not explicitly listed
in one of the ad_gpo_map_* options. This option can be
set in two different manners. First, this option can
be set to use a default logon right. For example, if
this option is set to 'interactive', it means that
unmapped PAM service names will be processed based on
the InteractiveLogonRight and DenyInteractiveLogonRight
policy settings. Alternatively, this option can be set
to either always permit or always deny access for
unmapped PAM service names.
Supported values for this option include:
<
term>ad_maximum_machine_account_password_age (integer)</
term>
SSSD will check once a day if the machine account
password is older than the given age in days and try
to renew it. A value of 0 will disable the renewal
<
term>ad_machine_account_password_renewal_opts (string)</
term>
This option should only be used to test the machine
account renewal task. The option expect 2 integers
seperated by a colon (':'). The first integer
defines the interval in seconds how often the task
is run. The second specifies the inital timeout in
seconds before the task is run for the first time
Default: 86400:750 (24h and 15m)
<
term>dyndns_update (boolean)</
term>
Optional. This option tells SSSD to automatically
update the Active Directory DNS server with
the IP address of this client. The update is
secured using GSS-TSIG. As a consequence, the
Active Directory administrator only needs to
allow secure updates for the DNS zone. The IP
address of the AD LDAP connection is used for
the updates, if it is not otherwise specified
by using the <
quote>dyndns_iface</
quote> option.
NOTE: On older systems (such as RHEL 5), for this
behavior to work reliably, the default Kerberos
<
term>dyndns_ttl (integer)</
term>
The TTL to apply to the client DNS record when updating it.
If dyndns_update is false this has no effect. This will
override the TTL serverside if set by an administrator.
<
term>dyndns_iface (string)</
term>
Optional. Applicable only when dyndns_update
is true. Choose the interface or a list of interfaces
whose IP addresses should be used for dynamic DNS
updates. Special value <
quote>*</
quote> implies that
IPs from all interfaces should be used.
Default: Use the IP addresses of the interface which
is used for AD LDAP connection
Example: dyndns_iface = em1, vnet1, vnet2
<
term>dyndns_refresh_interval (integer)</
term>
How often should the back end perform periodic DNS update in
addition to the automatic update performed when the back end
This option is optional and applicable only when dyndns_update
Default: 86400 (24 hours)
<
term>dyndns_update_ptr (bool)</
term>
Whether the PTR record should also be explicitly
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
<
term>dyndns_force_tcp (bool)</
term>
Whether the nsupdate utility should default to using
TCP for communicating with the DNS server.
Default: False (let nsupdate choose the protocol)
<
term>dyndns_server (string)</
term>
The DNS server to use when performing a DNS
update. In most setups, it's recommended to leave
Setting this option makes sense for environments
where the DNS server is different from the identity
Please note that this option will be only used in
fallback attempt when previous attempt using
autodetected settings failed.
Default: None (let nsupdate choose the server)
<
term>krb5_use_enterprise_principal (boolean)</
term>
Specifies if the user principal should be treated
as enterprise principal. See section 5 of RFC 6806
for more details about enterprise principals.
Note that this default differs from the
traditional Kerberos provider back end.
<
term>krb5_confd_path (string)</
term>
Absolute path of a directory where SSSD should place
Kerberos configuration snippets.
To disable the creation of the configuration
snippets set the parameter to 'none'.
SSSD's pubconf directory)
The following example assumes that SSSD is correctly
configured and
example.com is one of the domains in the
<
replaceable>[sssd]</
replaceable> section. This example shows only
the AD provider-specific options.
The AD access control provider checks if the account is expired.
It has the same effect as the following configuration of the LDAP
ldap_access_order = expire
ldap_account_expire_policy = ad
However, unless the <
quote>ad</
quote> access control provider
is explicitly configured, the default access provider is
<
quote>permit</
quote>. Please note that if you configure an
access provider other than <
quote>ad</
quote>, you need to set
all the connection parameters (such as LDAP URIs and encryption
When the autofs provider is set to <
quote>ad</
quote>, the RFC2307
schema attribute mapping (nisMap, nisObject, ...) is used,
because these attributes are included in the default Active