Configuring SSSD for Authenticated NFS¶
In order to activate the SSSD approach, you must customize and install an sssd.conf file.
This topic provides guidance on the following actions:
Building sssd.conf¶
The example sssd.conf file may be used as a template, and requires only a few customizations in most cases.
[sssd]
config_file_version = 2
services = nss, pam
domains = <DOMAIN>
You will need to replace <DOMAIN> with your actual Active Directory Domain. For example, DEV.ANACONDA.COM.
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
This section needs no customization. It is for interal SSSD operations.
[pam]
[domain/<DOMAIN>]
This is the beginning of the SSSD configuration for your particular domain. For example, [domain/DEV.ANACONDA.COM]
ldap_id_use_start_tls = false
ldap_schema = ad
ldap_search_base = dc=dev,dc=example,dc=com
ldap_user_ssh_public_key = sshPublicKey
This section will need your LDAP Search Base to be added. For example, dc=dev,dc=anaconda,dc=com will search all of the domain DEV.ANACONDA.COM.
ldap_uri = <LDAP_SERVER> # Use ldap://<server>
ldap_default_bind_dn = <BIND_DN> # Distinguished Name of the Bind Account
ldap_default_authtok_type = password
ldap_default_authtok = <PASSWORD> # Password of Bind DN account
This section will need your LDAP Server address added. For example, ldap://<example.dev.anaconda.com>. You will also need to add the Distinguished Name for the Bind Account. For example, CN=Administrator,CN=Users,DC=DEV,DC=ANACONDA,DC=COM.
Finally, you will need to add the password of the Bind DN account. You can obfuscate this with sss_obfuscate. See the Linux documentation for guidance on obfuscation.
Installing sssd.conf¶
Warning
Ensure you do not accidentally overwrite something that may already exist in the spark-config secret. This could come about if you are using spark-config to add the config.json file used for spark connections, for example.
Once your sssd.conf file has been constructed, it needs to be mounted into the container. The spark-config facility implemented in the anaconda-enterprise-cli tool provides a convenient mechanism for doing so. If you have logged in to this tool with administrator credentials, and the desired sssd.conf file is found in the current directory, this command will install it:
anaconda-enterprise-cli spark-config --config /etc/sssd/sssd.conf sssd.conf
Once this has been successfully completed, all new sessions and deployments will utilize SSSD. Existing sessions and deployments will continue to function without change.
Example sssd.conf¶
# Initial SSSD config
[sssd]
config_file_version = 2
services = nss, pam
domains = <DOMAIN>
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
# Config for domain used
[domain/<DOMAIN>]
debug_level = 7
enumerate = false
case_sensitive = false
cache_credentials = true
min_id = 1000
ldap_id_mapping = true
override_homedir = /opt/continuum
default_shell = /bin/bash
id_provider = ldap
auth_provider = ldap
access_provider = simple
chpass_provider = ldap
ldap_id_use_start_tls = false
ldap_schema = ad
ldap_search_base = dc=dev,dc=example,dc=com
ldap_user_ssh_public_key = sshPublicKey
ldap_uri = <LDAP_SERVER> # Use ldap://<server>
ldap_default_bind_dn = <BIND_DN> # Distinguished Name of the Bind Account
ldap_default_authtok_type = password
ldap_default_authtok = <PASSWORD> # Password of Bind DN account
# You can obfuscate the Password so it does not have to be stored in plaintext (https://linux.die.net/man/8/sss_obfuscate)