Autenticazione SSSD/LDAP su AD


=sys-auth/sssd-1.16.3-r1 ssh sudo
>=sys-libs/pam-1.3.0-r2 audit

emerge sssd


reconnection_retries = 3
id_provider = ldap
auth_provider = ldap
ldap_schema = AD
#ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_uri = ldaps://,ldap://
ldap_default_bind_dn = ...
ldap_default_authtok = ...
ldap_default_authtok_type = password
#ldap_referrals = false
ldap_search_base = ...
#ldap_user_search_base = ...
ldap_user_search_base = ...
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_group_search_base = ...
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_tls_reqcert = never
#ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
override_shell = /bin/bash
cache_credentials = true
enumerate = true
#ldap_rfc2307_fallback_to_local_users = true
override_homedir = /home/%u
#min_id = 10000
#ldap_group_gid = 9999
#override_gid = 9999
#ad_gpo_access_control = disabled
access_provider = simple
simple_allow_groups = ..., ...
#access_provider = ldap
#ldap_access_order = filter
#ldap_group_member = member
#ldap_access_filter = (|(memberOf=CN=...)(memberOf=CN=...))


passwd: compat
shadow: compat
group: compat
passwd: db files nis sss
shadow: db files nis sss
group: db files nis sss
#group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files sss
bootparams: files
sudoers: ldap files sss
automount: files
aliases: files


auth sufficient forward_pass
auth required
auth required try_first_pass likeauth nullok
auth optional
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore]
account required
account optional
password sufficient use_authtok
password sufficient difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required try_first_pass use_authtok nullok sha512 shadow
password optional
session required enable=*
session required skel=/etc/skel/ umask=0077
session required
session required
session required
session optional


UsePAM yes

getent passwd

getent groups


Crea un file hp.list in /etc/apt/sources.list.d contenente

deb stretch/current non-free

Importa le chiavi:

curl | apt-key add -
curl | apt-key add -
curl | apt-key add -
curl | apt-key add -

Aggiorna i repository:

apt-get update
apt dist-upgrade

Installa i pacchetti del controller:

apt install ssacli ssaducli amsd hponcfg

HPE Manual

ssacli ctrl slot=0 lk all show
ssacli ctrl slot=0 add lk=3MXBB-P2ZCC-ML82H-PB8CS-ZXXXX

HPE Smart Array P408i-a SR Gen10 in Slot 0 (Embedded)
licensekey 3MXBB-P2ZCC-ML82H-PB8CS-ZLZNR (OK)

Attivare rc.local Rc.local in Debian stretch
Inserire in rc.local:

echo 655360 > /proc/sys/vm/min_free_kbytes
echo 0 > /proc/sys/kernel/hung_task_timeout_secs
echo 1 > /proc/sys/vm/swappiness
echo 50 > /proc/sys/vm/vfs_cache_pressure
echo 1 > /proc/sys/kernel/dmesg_restrict
ssacli controller slot=0 modify cacheratio=70/30
ssacli controller slot=0 modify dwc=enable
HBA=( sda sdb )
for DISK in "${HBA[@]}"
echo noop > /sys/block/$DISK/queue/scheduler
echo 1024 > /sys/block/$DISK/queue/nr_requests
echo 1024 > /sys/block/$DISK/queue/read_ahead_kb
sdparm --set WCE=1 /dev/$DISK 2>/dev/null

Inserire in .bashrc:

ssacli ctrl all show status
ssacli ctrl slot=0 pd all show status
ssacli ctrl slot=0 ld all show

In cron.hourly:

# Check for HP Smart Array Controller
ssacli ctrl all show config | grep "Smart Array" &>/dev/null
# If Smart Array Controller exists continue with script if not exit script
if [ $? -eq 0 ]; then
# Check HP Smart Array disk status for string "OK"
ssacli ctrl slot=0 pd all show status | grep physicaldrive | grep -vi "OK" &>/dev/null
# If all disks do not report "OK" then continue with script otherwise exit.
if [ $? -eq 1 ]; then
exit 0
# Display hostname, HP serial number, disks and RAID configuration of disks
# that failed
ALERT="ALERT-$(date +%Y%m%d-%H%M%S)"
echo "Hostname: $(hostname)" > /root/$ALERT
echo "HP Serial Number: $(dmidecode -t 1 | grep "Serial" | awk '{print $3}')" >> /root/$ALERT
echo "----------------------------------------------------------------------------" >> /root/$ALERT
ssacli ctrl all show config >> /root/$ALERT
cat /root/$ALERT | mail -s "$(hostname)-$ALERT" <..> -c<..>
ssacli ctrl slot=0 pd all show detail >> /root/$ALERT
exit 1
echo "HP Smart Array Card not installed"
exit 0

Comandi SSACLI