Tag Archive: SSSD


SSSD principle:

SSSD for SuSE (sles):

https://www.suse.com/support/kb/doc/?id=7022002

http://www.novell.com/support/kb/doc.php?id=7014572

RHEL:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/index

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html

Troubleshooting SSSD:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html

Resolution:   id  <userid> ; getent passwd <userid>

Authentication: ssh <userid>@localhost

 

In addition to redhat guide, there are tones of interesting links:

http://thornelabs.net/2014/01/30/authenticate-rhel-5-and-6-against-active-directory-on-windows-server-2008-r2-with-sssd-using-kerberos-and-ldap.html

http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/

Advertisements

To request a certificate for MAC and Linux:
– SCEP ===> MAC compatible. linux: problem: client SCEP ?
or
– request a certificate from Linux, MAC using openssl

Principle:

1) prepare the certificate request:

http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr

2) submit the certificate request to https://serverweb.mydomain.local/certsrv or using certutil windows command from a jump server (request manual approval or automatic approval; depending of the Windows certificate template settings

3) install the certificate issued with the full key chain (format .p7b) on Linux (Ubuntu):

https://help.ubuntu.com/lts/serverguide/certificates-and-security.html

https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/

To view the certificates chain:

openssl pkcs7 -in certnew.p7b -print_certs

To extract the .cer view the certificates chain:

openssl pkcs7 –print_certs –in certnew.p7b –out cert.cer

To convert a .cer into a .pfx:

openssl pkcs12 –export –out cert.pfx –inkey privatekey.key –in cert.cer –certfile cert.crt

Copy the .crt under /usr/share/ca-certificates

Sudo cp cert.crt /usr/share/ca-certificates/cert.crt

Update the certificate store (requires a .crt file, else it cannot pick up):

update-ca-certificates is a program that updates   the   directory /etc/ssl/certs to hold SSL certificates and generates certificates.crt,a concatenated single-file list of certificates. It reads the file /etc/ca-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates that should be trusted. Lines that begin with “#” are comment lines and thus ignored. Lines that begin with “!” are deselected, causing the deactivation of the CA certificate in question. Furthermore   all   certificates   found   below   /usr/local/share/ca-certificates are also included as implicitly trusted.

Sudo update-ca-certificates

 

for MAC: http://apple.stackexchange.com/questions/80623/import-certificates-into-system-keychain-via-the-command-line

Other resources:

http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx

http://www.whitneytechnologies.com/?p=218

http://www.unix.com/shell-programming-and-scripting/107305-shell-script-provide-answers-ssl-cert-request.html

 

Additionally: transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

Cent OS authentication with AD but no kerberos (certificate only): http://htfdidt.blogspot.fr/2014/06/centos-6-with-active-directory.html