Authenticating to Fedora using Active Directory credentials that lack Unix attributes

This weekend at the SouthEast LinuxFest, I had a talk about how you can authenticate to Fedora using Active Directory credentials that lack Unix attributes.  Since newer deployments of the most recent versions of Active Directory no longer give you the ability by default to configure Unix attributes, it is important to know that this is not a show stopper.

In my talk, I showed how SSSD uses ID Mapping by converting an objectSID value from a user object from binary to a human-readable number and then runs that number through an algorithm to generate a UID.  It will do the same thing for group objects so that you also have GIDs.  Besides the UID and GID, SSSD has the ability to use a ‘fallback’ mode for home directory and shell locations.  This way, you can “fill in the blanks” of missing information.

Here is an example user object we used in the demonstration to show this:

$ ldapsearch -LLL -h coldharbour.win.terranforge.com -D Administrator@WIN.TERRANFORGE.COM -W -b dc=win,dc=terranforge,dc=com samaccountname=youknownothing
Enter LDAP Password:

dn: CN=Jon Snow,CN=Users,DC=win,DC=terranforge,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jon Snow
sn: Snow
givenName: Jon
distinguishedName: CN=Jon Snow,CN=Users,DC=win,DC=terranforge,DC=com
instanceType: 4
whenCreated: 20160610164605.0Z
whenChanged: 20160610164605.0Z
displayName: Jon Snow
uSNCreated: 20499
uSNChanged: 20504
name: Jon Snow
objectGUID:: Y7sOFvVwRkmrKNCJiXYkSw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131100507651203267
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAoKzsMxIUlCWCTFRxUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: youknownothing
sAMAccountType: 805306368
userPrincipalName: youknownothing@win.terranforge.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=win,DC=terranforge,DC=
com
dSCorePropagationData: 16010101000000.0Z

# refldap://win.terranforge.com/CN=Configuration,DC=win,DC=terranforge,DC=com

As you can see, Jon Snow (youknownothing) lacks four of the things that POSIX compliant systems require a user to have: UID, GID, Home Directory and Shell.  However, on a Fedora 23 system that has been joined to the same AD domain, we can successfully see that the user DOES have a UID, GID, Home Directory and Shell:

[root@garden ~]# cat /etc/fedora-release
Fedora release 23 (Twenty Three)
[root@garden ~]# id youknownothing
uid=436801105(youknownothing) gid=436800513(domain users) groups=436800513(domain users)
[root@garden ~]# getent passwd youknownothing
youknownothing:*:436801105:436800513:Jon Snow:/home/youknownothing:/bin/bash

And, we can authenticate as that user to the Fedora system:

[root@garden ~]# ssh youknownothing@localhost
youknownothing@localhost’s password:
[youknownothing@garden ~]$ id
uid=436801105(youknownothing) gid=436800513(domain users) groups=436800513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[youknownothing@garden ~]$

This happens successfully because SSSD is converting the binary SID value to a number, turning that number into a UID based off of an algorithm and then filling in whatever attributes are necessary for the POSIX-compliant system to accept the user as valid.  The only thing SSSD requires from AD to make this happen is an ‘id’, such as a username and the SID attribute.  In sssd.conf, we specify the Shell and Home Directory attributes:

[domain/win.terranforge.com]
id_provider = ad
ad_server = coldharbour.win.terranforge.com
default_shell=/bin/bash
fallback_homedir=/home/%u

[sssd]
services = nss, pam
config_file_version = 2
domains = win.terranforge.com

[nss]

[pam]

Using the ‘default_shell’ and ‘fallback_homedir’ options means that if SSSD does not find these attributes within AD, it will substitute what you give it.  In this case, /bin/bash and /home/%u.  This allows you to specify the unixHomeDir and unixShell attributes in AD for a user if you still desire to do so, and SSSD will use those.

To generate an UID and GID based off of the object’s SID value, SSSD’s ID Mapping algorithm is very similar to how Winbind’s autorid backend works.  This makes it trivial to move from older Winbind configurations to SSSD and continue to retain original UID and GID values.  Using SSSD in this fashion will make the UIDs and GIDs across all systems joined to AD consistent for each user and group, making things like file-sharing hassle-free.

Install the i3 tiling window manager from Fedora 23 Minimal

It was mentioned in the #fedora channel on Freenode’s IRC server that it is difficult to get the i3 tiling window manager working from a Minimal Fedora 23 install.  I ran through the steps myself and narrowed down what was needed to get this to work.

  1. Install Fedora 23 using the Minimal selection on the Server ISO
  2. Post-install, do the following:
    # dnf install i3 i3status dmenu i3lock xbacklight feh conky xterm sddm mesa-dri-drivers xorg-x11-drv-evdev xorg-x11-drv-fbdev xorg-x11-drv-vmmouse xorg-x11-drv-synaptics
    # systemctl set-default graphical.target
    # systemctl isolate graphical.target

The above process should bring you to an SDDM login screen where you can select the Window Manager you wish to use (top-left) and then log in.

SystemD Analyze Blame

If you want your boot times to be quicker, consider removing things like FirewallD, LVM and NetworkManager as these things cause the most delay at boot:

[root@f23i3 ~]# systemd-analyze blame
1.119s firewalld.service
584ms dev-mapper-fedora\x2droot.device
332ms plymouth-start.service
250ms lvm2-monitor.service
187ms systemd-journal-flush.service
177ms systemd-vconsole-setup.service
125ms systemd-udevd.service
84ms systemd-tmpfiles-setup-dev.service
70ms fedora-readonly.service
66ms user@995.service
62ms systemd-udev-trigger.service
53ms systemd-tmpfiles-setup.service
52ms systemd-user-sessions.service
47ms plymouth-quit-wait.service
46ms systemd-journald.service
44ms kmod-static-nodes.service
41ms plymouth-quit.service
39ms NetworkManager.service
38ms systemd-sysctl.service
35ms sys-kernel-debug.mount
34ms dev-mqueue.mount
34ms systemd-fsck@dev-disk-by\x2duuid-*******.service
34ms systemd-logind.service
29ms tmp.mount
25ms systemd-remount-fs.service
21ms user@0.service
21ms auditd.service
20ms boot.mount
20ms plymouth-read-write.service
18ms lvm2-pvscan@252:2.service
16ms dev-hugepages.mount
15ms dracut-shutdown.service
15ms systemd-random-seed.service
13ms systemd-update-utmp-runlevel.service
7ms systemd-fsck-root.service
6ms dev-mapper-fedora\x2dswap.swap
4ms systemd-update-utmp.service
1ms sys-kernel-config.mount

Striker