By default, Fedora Atomic images come with cloud-init, which supports customization of various aspects of the running instance, including password for the default user. However, if many users in an organization should have access to the Atomic Host, the local configuration of the instance will not scale and user identities, authentication, and authorization need to be based on external identity management solution.
For IPA (FreeIPA/IdM), Active Directory, or generic LDAP servers, SSSD can serve as an agent providing these services, from user identity lookups and user group membership resolution to access control. With an SSSD container now available, Fedora Atomic Hosts can be deployed in very similar way to normal Fedora.
The System Security Services Daemon (SSSD) is a daemon that provides identity, authentication, and authorization services to the operating system and applications. It provides modules and/or plugins for multiple subsystems of the operating system, including NSS, PAM, or sudo. It can cache multiple types of information to speed-up subsequent lookup or authentication operations, and it can use various remote backend types, including FreeIPA, Active Directory, or LDAP.
SSSD can be configured by editing
/etc/sssd/sssd.conf directly but due to overlap to other subsystems, those subsystems typically need to be configured as well to make use of SSSD, like
pam_sss.so for PAM, or
/etc/krb5.* for Kerberos operations. For two use cases, setups against FreeIPA and Active Directory, setup tools can be used to configure SSSD and other components of the operating system in automated fashion.
Working with SSSD container
The general steps in deploying the SSSD container include:
- Edit config file with options and parameters, or configure SSSD manually.
atomic install fedora/sssd [various options]to invoke setup tool(s) to configure SSSD and other parts of the system.
atomic run fedora/sssdor
systemctl start sssd.serviceto start the container.
What config files to use and what options to pass depend on the setup you want to achieve. The three most common use-cases will be:
- IPA-enrollment, for configuring the machine against FreeIPA/IdM, using
ipa-client-installin the container.
- Joining the machine to Active Directory using
- Configuring SSSD manually on the host and telling the SSSD container to just use that configuration, without any setup tool invoked.
Let us explore the possibilities in more detail.
IPA-enrolling Fedora Atomic
To IPA-enroll machine to FreeIPA or IdM server, you will want to either specify the parameters for
/etc/sssd/ipa-client-install-options on the host before running
atomic install, or you can pass the parameters as arguments to
atomic install fedora/sssd directly.
For example, if you’ve pre-created the host record in IPA with
ipa$ ipa host-add --random host.example.com [...] Random password: Fk96SdaP99wV
and obtained a one-time password for the IPA-enrollment, you can either use the
-w and the password directly when calling
host# atomic install fedora/sssd -w Fk96SdaP99wV [...] Client configuration complete.
Alternatively, you can store the option and the password in
You then do not need to pass the arguments to
atomic install on the command line:
host# atomic install fedora/sssd [...] Client configuration complete.
Virtually any option to
ipa-client-install can be used, and specified either as argument to
atomic install, or in the
Joining Fedora Atomic to Active Directory
To join the machine to Active Directory, specify parameters to realm join in
/etc/sssd/realm-join-options, for example:
When that file exists, plain
host# atomic install fedora/sssd
realm join instead of
You can also use
realm join and the parameters on the command line directly:
host# atomic install fedora/sssd realm join ADDOMAIN.TEST
In either case, since
realm join does not accept the AD credentials on the command line, you have to put the password to
/etc/sssd/realm-join-password before calling
Using existing SSSD configuration
If you have configured SSSD on the Fedora Atomic Host manually or via some other mechanism, you can just enable the SSSD container and tell it to observe the existing configuration:
host# atomic install fedora/sssd --migrate
For more information about the SSSD container and the solution used, check SSSD in container on Fedora Atomic Host.