4 Setting Up Authentication Clients Using YaST #
Whereas Kerberos is used for authentication, LDAP is used for authorization and identification. Both can work together. For more information about LDAP, see Chapter 5, LDAP with 389 Directory Server, and about Kerberos, see Chapter 6, Network Authentication with Kerberos.
4.1 Configuring an Authentication Client with YaST #
YaST allows setting up authentication to clients using different modules:
Use both an identity service (usually LDAP) and a user authentication service (usually Kerberos). This option is based on SSSD and in the majority of cases is best suited for joining Active Directory domains. .
This module is described in Section 7.3.2, “Joining Active Directory Using . ”
Join an Active Directory (which entails use of Kerberos and LDAP). This option is based on .
winbind
and is best suited for joining an Active Directory domain if support for NTLM or cross-forest trusts is necessary.This module is described in Section 7.3.3, “Joining Active Directory Using . ”
4.2 SSSD #
Two of the YaST modules are based on SSSD:
and .SSSD stands for System Security Services Daemon. SSSD talks to remote directory services that provide user data and provides various authentication methods, such as LDAP, Kerberos, or Active Directory (AD). It also provides an NSS (Name Service Switch) and PAM (Pluggable Authentication Module) interface.
SSSD can locally cache user data and then allow users to use the data, even if the real directory service is (temporarily) unreachable.
4.2.1 Checking the Status #
After running one of the YaST authentication modules, you can check whether SSSD is running with:
#
systemctl status sssd
sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: active (running) since Thu 2015-10-23 11:03:43 CEST; 5s ago [...]
4.2.2 Caching #
To allow logging in when the authentication back-end is unavailable, SSSD will use its cache even if it was invalidated. This happens until the back-end is available again.
To invalidate the cache, run sss_cache -E
(the
command sss_cache
is part of the package
sssd-tools).
To completely remove the SSSD cache, run:
>
sudo
systemctl stop sssd
>
sudo
rm -f /var/lib/sss/db/*
>
sudo
systemctl start sssd