SSSD Configuration Reference

The System Security Services Daemon (SSSD) provides access to remote identity and authentication providers. It is commonly used to integrate Linux systems with Active Directory, LDAP directories, and other centralized identity services. This reference provides an overview of SSSD configuration files, common sections, options, and examples to help you set up and manage SSSD effectively.

Configuration Files

The main configuration file for SSSD is /etc/sssd/sssd.conf. This file contains global settings and domain-specific configurations. Ensure that the file has permissions set to 600 and is owned by root:root to prevent unauthorized access.

# Example permissions
chmod 600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf

SSSD Configuration Structure

The sssd.conf file consists of different sections:

[sssd] - Global SSSD options.
[domain/<name>] - Domain-specific settings.
[auth_provider/<name>] - Authentication provider settings.
[nss] - Name Service Switch settings.
[pam] - Pluggable Authentication Module settings.
[ifp] - InfoPipe responder settings.

[sssd] Section

The [sssd] section contains global options for SSSD.

Common Options

Option	Description
`config_file_version`	The version of the config file syntax. Typically set to `2`.
`services`	A comma-separated list of services to start (e.g., `nss, pam, sudo, ssh`).
`domains`	A comma-separated list of configured domains.
`reconnection_retries`	Number of times SSSD tries to reconnect to a provider.
`debug_level`	Sets the debug level (0-10) for logging.

Example [sssd] Section

[sssd]
config_file_version = 2
services = nss, pam
domains = example.com

[domain/<name>] Section

The [domain/<name>] section defines settings for a specific domain or identity provider.

Common Options

Option	Description
`id_provider`	Specifies the identity provider type (e.g., `ldap`, `ad`, `ipa`).
`auth_provider`	Specifies the authentication provider type.
`chpass_provider`	Specifies the password change provider.
`access_provider`	Controls access to the system (e.g., `ldap`, `ad`, `permit`, `deny`).
`ldap_uri`	Specifies the LDAP server URI.
`ldap_search_base`	Specifies the base DN for LDAP searches.
`ldap_schema`	Specifies the LDAP schema (e.g., `rfc2307`, `rfc2307bis`).
`enumerate`	Enables or disables user and group enumeration (`true` or `false`).
`cache_credentials`	Enables caching of user credentials (`true` or `false`).

Example LDAP Domain Configuration

[domain/example.com]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap

ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=binduser,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = binduserpassword

enumerate = false
cache_credentials = true

Example Active Directory Domain Configuration

[domain/example.com]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

ad_domain = example.com
krb5_realm = EXAMPLE.COM
krb5_server = dc1.example.com

enumerate = false
cache_credentials = true

[nss] Section

The [nss] section configures the Name Service Switch integration.

Common Options

Option	Description
`filter_groups`	List of groups to exclude from enumeration.
`filter_users`	List of users to exclude from enumeration.
`entry_negative_timeout`	Time in seconds to cache negative lookup results.
`memcache_timeout`	Time in seconds for in-memory cache entries.

Example [nss] Section

[nss]
filter_groups = root
filter_users = root
entry_negative_timeout = 20
memcache_timeout = 600

[pam] Section

The [pam] section configures the PAM responder, which handles authentication requests.

Common Options

Option	Description
`offline_credentials_expiration`	Time in hours before cached credentials expire.
`pam_cert_auth`	Enables certificate authentication (`true` or `false`).
`pam_pwd_expiration_warning`	Days before password expiration to warn the user.

Example [pam] Section

[pam]
offline_credentials_expiration = 0
pam_cert_auth = false
pam_pwd_expiration_warning = 7

[ssh] and [sudo] Sections

These sections configure SSSD to provide SSH and Sudo integrations.

Example [ssh] Section

[ssh]
ssh_hash_known_hosts = false

Example [sudo] Section

[sudo]
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com

Access Control

Control user access using the access_provider option.

Access Providers

permit - Allows all users.
deny - Denies all users.
ldap - Uses LDAP attributes for access control.
ad - Uses Active Directory attributes.
simple - Uses a list of allowed or denied users/groups.

Example Simple Access Control

[domain/example.com]
access_provider = simple
simple_allow_users = user1, user2
simple_allow_groups = group1, group2

Credential Caching

SSSD can cache user credentials to allow offline authentication.

Enable Credential Caching

[domain/example.com]
cache_credentials = true

Configure Offline Authentication

[pam]
offline_credentials_expiration = 0

Setting offline_credentials_expiration to 0 disables expiration of cached credentials.

Kerberos Configuration

When using Kerberos authentication, additional configuration may be required.

Example Kerberos Settings

[domain/example.com]
auth_provider = krb5
krb5_server = kdc.example.com
krb5_realm = EXAMPLE.COM
krb5_kpasswd = kpasswd.example.com

Debugging and Logging

Set the debug_level option in different sections to control logging verbosity.

Example Debug Settings

[sssd]
debug_level = 0xFFF0

[domain/example.com]
debug_level = 0xFFF0

[nss]
debug_level = 0xFFF0

[pam]
debug_level = 0xFFF0

Log files are typically located in /var/log/sssd/.

Testing and Troubleshooting

Use sss_cache to clear the SSSD cache:

# Clear all cache
sss_cache -E

# Clear cache for a specific user
sss_cache -u username

Use sssctl for status and debug logs:

# Check SSSD status
sssctl status

# View domain information
sssctl domain-list
sssctl domain-status example.com

# Watch logs in real-time
sssctl debug-level 9

Verify user lookup:

# Get user information
getent passwd username

# Check group membership
getent group groupname

Check authentication:
```
# Test PAM authentication
su - username
```

Example Complete Configuration

[sssd]
config_file_version = 2
services = nss, pam
domains = example.com

[nss]
filter_groups = root
filter_users = root
entry_negative_timeout = 20

[pam]
offline_credentials_expiration = 0
pam_pwd_expiration_warning = 7

[domain/example.com]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap

ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=binduser,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = binduserpassword

enumerate = false
cache_credentials = true

Permissions and Ownership

Ensure that /etc/sssd/sssd.conf has the correct permissions and ownership:

# Set ownership to root:root
chown root:root /etc/sssd/sssd.conf

# Set permissions to 600
chmod 600 /etc/sssd/sssd.conf

Restarting SSSD

After making changes to the configuration, restart the SSSD service:

# On systemd-based systems
systemctl restart sssd

# On SysVinit systems
service sssd restart

Integration with PAM and NSS

Ensure that SSSD is properly integrated with PAM and NSS.

Modify NSS Configuration

Edit /etc/nsswitch.conf and add sss to the passwd, shadow, and group entries:

passwd:     files sss
shadow:     files sss
group:      files sss

Modify PAM Configuration

Ensure that PAM is configured to use SSSD, typically by including pam_sss.so in the PAM stack. This can often be done by installing the appropriate PAM configuration files provided by SSSD.

Common Issues

SSSD Fails to Start: Check for syntax errors in sssd.conf and verify permissions.
Authentication Fails: Verify connectivity to the identity provider and ensure correct credentials.
User Not Found: Use getent to check if the user is visible to the system.
Caching Issues: Clear the SSSD cache using sss_cache -E.
Expired Certificates: If using TLS/SSL, ensure certificates are valid and trusted.

Tips and Best Practices

Use secure connections (e.g., LDAPS or StartTLS) when connecting to LDAP servers.
Limit the scope of searches by specifying precise search bases.
Monitor SSSD logs in /var/log/sssd/ for troubleshooting.
Regularly update SSSD to benefit from security patches and new features.
Test configuration changes in a non-production environment before deployment.

Return to Home