[{Mv;*)  i"{$jl%(&K(L)6)&+>/C0~0o[1D1223`55687?7'7 '8!2:T:x8;P;<<t=|T>?@N@EAHA(C DYDD G[HyHE(InIVIVRJ\J_K^fK[KQ!LjsL]L;VAX'W1 dn  P  x +F (r lw(/|s*xR9!"#o$D$$%t&((@)8?*?x*&* *!,-w-Pi..M/60}12Z3Rw3H3456Z`7!79[:N;A;@<Y<Z#=`~=c=bC>_>U?n\?^?<*@g@<5ArBoOCC]D-8EfF~GH8IIJjLMM%OqPe%QQSoS^TTUVhW[YY[YZ]2^`abd%cpchcnddld@egVgggydiinjEAkk4mQnoI9ppUqrs[ttuvvxxEzz{ |}j~~~~B@P/ԄUDZ+ˊ7Ћ*13dejʐ5o,ߕ9s3Z\XH/{5ԣ IE%A=g[PR| ѸaotZbϾx2c0&!Ac c(iB9s+3?TzY)Eq.IxSFpkQMtj #JK"5Wjr&rXb+8Sw* f ^cqe L-z1&"x|)pW!%Y_U/0}69> 4<TB=g5N3P\ ?s#{.o'QX2$7hCaI`tAR(l~uj@Fmnki: G[y]v,EJDHdMZr;OKV3. Authentication does not work and syslog contains "No Kerberos credentials available": You don't have any credentials that can be used to obtain the required service ticket. Use kinit or authenticate over SSSD to acquire those credentials.4. Authentication does not work and SSSD sssd-pam log contains "User with UPN [$UPN] was not found." or "UPN [$UPN] does not match target user [$username].": You are using credentials that can not be mapped to the user that is being authenticated. Try to use kswitch to select different principal, make sure you authenticated with SSSD or consider disabling .sss_override enables to create a client-side view and allows to change selected values of specific user and groups. This change takes effect only on local machine.NOTE: In order to have this feature working as expected SSSD must be running as "root" and not as the unprivileged user.ad: use the value of the 32bit field ldap_user_ad_user_account_control and allow access if the second bit is not set. If the attribute is missing access is granted. Also the expiration time of the account is checked.sssd.conf must be a regular file, owned by root and only root may read from or write to the file. It's important to note that on platforms where systemd is supported there's no need to add the "sudo" provider to the list of services, as it became optional. However, sssd-sudo.socket must be enabled instead. joe and dick are UNIX user names and juser and richard are primaries of kerberos principals. For user joe resp. dick SSSD will try to kinit as juser@REALM resp. richard@REALM.A printf 3 -compatible format that describes how to compose a fully qualified name from user name and domain name components.A comma separated list of strings which allows to remove (filter) data sent by the PAM responder to pam_sss PAM module. There are different kind of responses sent to pam_sss e.g. messages displayed to the user or environment variables which should be set by pam_sss.A comma-separated list of users which should have session recording enabled. Matches user names as returned by NSS. I.e. after the possible space replacement, case changes, etc.A mapping and matching rule can be added to the SSSD configuration in a section on its own with a name like [certmap/DOMAIN_NAME/RULE_NAME]. In this section the following options are allowed:A possible work-around for long running processes which are looking up users and groups only at startup or very rarely is to run them with the environment variable SSS_NSS_USE_MEMCACHE set to "NO" so that they won't use the memory cache at all and not map the memory cache file into the memory. In general a better solution is to tune the cache timeout parameters so that they meet the local expectations and calling sss_cache is not needed.A special case is long running processes which are doing user or group lookups only at startup, e.g. to determine the name of the user the process is running as. For those lookups the memory cache file is mapped into the memory of the process. But since there will be no further lookups this process would never detect if the memory cache file was invalidated and hence it will be kept in memory and will occupy disk space until the process stops. As a result calling sss_cache might increase the disk usage because old memory cache files cannot be removed from the disk because they are still mapped by long running processes.Add microseconds to the timestamp in debug messages. If journald is enabled for SSSD debug logging this option is ignored.All configuration that is needed on SSSD side is to extend the list of services with "sudo" in [sssd] section of sssd.conf 5 . To speed up the LDAP lookups, you can also set search base for sudo rules using ldap_sudo_search_base option.Always prompt the user for credentials. With this option credentials requested by other PAM modules, typically a password, will be ignored and pam_sss will prompt for credentials again. Based on the pre-auth reply by SSSD pam_sss might prompt for a password, a Smartcard PIN or other credentials.Before performing access control SSSD applies group policy security filtering on the GPOs. For every single user login, the applicability of the GPOs that are linked to the host is checked. In order for a GPO to apply to a user, the user or at least one of the groups to which it belongs must have following permissions on the GPO:Both a user name and a uid can be used but the user should be a local one, i.e. accessible via files service of nsswitch.conf.By default the ssh responder will use all available certificate matching rules to filter the certificates so that ssh keys are only derived from the matching ones. With this option the used rules can be restricted with a comma separated list of mapping and matching rule names. All other rules will be ignored.By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see the ID MAPPING section below. If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set If POSIX attributes should be used, it is recommended for performance reasons that the attributes are also replicated to the Global Catalog. If POSIX attributes are replicated, SSSD will attempt to locate the domain of a requested numerical ID with the help of the Global Catalog and only search that domain. In contrast, if POSIX attributes are not replicated to the Global Catalog, SSSD must search all the domains in the forest sequentially. Please note that the cache_first option might be also helpful in speeding up domainless searches. Note that if only a subset of POSIX attributes is present in the Global Catalog, the non-replicated attributes are currently not read from the LDAP port.By default, the SSSD connects to the Global Catalog first to retrieve users from trusted domains and uses the LDAP port to retrieve group memberships or as a fallback. Disabling this option makes the SSSD only connect to the LDAP port of the current AD server.Certain option defaults do not match their respective backend provider defaults, these option names and IPA provider-specific defaults are listed below:Changes the behavior of the ID-mapping algorithm to behave more similarly to winbind's idmap_autorid algorithm.Comma separated list of PAM services that are allowed to try GSSAPI authentication using pam_sss_gss.so module.Comma separated list of access control options. Allowed values are:Comma separated list of authentication indicators required to be present in a Kerberos ticket to access a PAM service that is allowed to try GSSAPI authentication using pam_sss_gss.so module.Comma separated list of domain names the rule should be applied. By default a rule is only valid in the domain configured in sssd.conf. If the provider supports subdomains this option can be used to add the rule to subdomains as well.Comma separated list of domains and subdomains representing the lookup order that will be followed. The list doesn't have to include all possible domains as the missing domains will be looked up based on the order they're presented in the domains configuration option. The subdomains which are not listed as part of lookup_order will be looked up in a random order for each parent domain.Comma separated list of groups that are allowed to log in. This applies only to groups within this SSSD domain. Local groups are not evaluated.Comma separated list of groups that are explicitly denied access. This applies only to groups within this SSSD domain. Local groups are not evaluated.Comma separated list of services that are started when sssd itself starts. The services' list is optional on platforms where systemd is supported, as they will either be socket or D-Bus activated when needed. Comma separated list of users who are allowed to log in.Comma separated list of users who are explicitly denied access.Configuring sudo with the SSSD back endCurrently SSSD basically only supports LDAP to lookup user information (the exception is the proxy provider which is not of relevance here). Because of this the mapping rule is based on LDAP search filter syntax with templates to add certificate content to the filter. It is expected that the filter will only contain the specific data needed for the mapping and that the caller will embed it in another filter to do the actual search. Because of this the filter string should start and stop with '(' and ')' respectively.Currently supported debug levels:Default for the AD and IPA provider: (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) which allows three different styles for user names:Default regular expression that describes how to parse the string containing user name and domain into these components.Default: true on platforms where inotify is supported. False on other platforms.Different configuration options are tunable for a trusted domain depending on whether you are configuring SSSD on an IPA server or an IPA client.Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700.Do a binary match with the base64 encoded blob against all otherName SAN components. With this option it is possible to match against custom otherName components with special encodings which could not be treated as strings.Do certificate based authentication, i.e. authentication with a Smartcard or similar devices. If a Smartcard is not available the user will be prompted to insert one. SSSD will wait for a Smartcard until the timeout defined by p11_wait_for_card_timeout passed, please see sssd.conf 5 for details.Enable certificate based Smartcard authentication. Since this requires additional communication with the Smartcard which will delay the authentication process this option is disabled by default.Failover time outs and tuningFollowing authentication indicators are supported by IPA Kerberos deployments:Following options are usable in more than one configuration sections.For each failover-enabled config option, two variants exist: primary and backup. The idea is that servers in the primary list are preferred and backup servers are only searched if no primary servers can be reached. If a backup server is selected, a timeout of 31 seconds is set. After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server.For example 10:0 means that up to 10 primary servers will be handed to sssd_krb5_locator_plugin 8 but no backup servers.For more details about the options see sssd.conf 5.For more details about these options see their individual description in the manual page.For the matching the subject name stored in the certificate in DER encoded ASN.1 is converted into a string according to RFC 4514. This means the most specific name component comes first. Please note that not all possible attribute names are covered by RFC 4514. The names included are 'CN', 'L', 'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might be shown differently on different platform and by different tools. To avoid confusion those attribute names are best not used or covered by a suitable regular-expression.Further, enabling enumeration may increase the time necessary to detect network disconnection, as longer timeouts are required to ensure that enumeration lookups are completed successfully. For more information, refer to the man pages for the specific id_provider in use.How big can a credential cache be per ccache. Each service ticket accounts into this quota.How long would SSSD try to resolve a failover service. This service resolution internally might include several steps, such as resolving DNS SRV queries or locating the site.How many credential caches does the KCM database allow for all users.How many credential caches does the KCM database allow per UID. This is equivalent to with how many principals you can kinit.How many seconds should nss_sss cache enumerations (requests for info about all users)How many seconds should nss_sss consider entries valid before asking the backend againHow many seconds should nss_sss consider group entries valid before asking the backend againHow many seconds should nss_sss consider netgroup entries valid before asking the backend againHow many seconds should nss_sss consider service entries valid before asking the backend againHow many seconds should nss_sss consider user entries valid before asking the backend againHow many seconds should sudo consider rules valid before asking the backend againHow many seconds should the autofs service consider automounter maps valid before asking the backend againHow many seconds to keep a host ssh key after refresh. IE how long to cache the host key for.How many seconds will pam_sss wait for p11_child to finish.How often should the back end perform periodic DNS update in addition to the automatic update performed when the back end goes online. This option is optional and applicable only when dyndns_update is true.How often should the back end perform periodic DNS update in addition to the automatic update performed when the back end goes online. This option is optional and applicable only when dyndns_update is true. Note that the lowest possible value is 60 seconds in-case if value is provided less than 60, parameter will assume lowest value only.If 2-Factor-Authentication (2FA) is used and credentials should be saved this value determines the minimal length the first authentication factor (long term password) must have to be saved as SHA512 hash into the cache.If is set the entered password is put on the stack for other PAM modules to use.If Smartcard authentication is required how many extra seconds in addition to p11_child_timeout should the PAM responder wait until a Smartcard is inserted.If True, SSSD will require that the Kerberos user principal that successfully authenticated through GSSAPI can be associated with the user who is being authenticated. Authentication will fail if the check fails.If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists SSSD's PAM module pam_sss will ask SSSD to figure out which authentication methods are available for the user trying to log in. Based on the results pam_sss will prompt the user for appropriate credentials.If enabled, SSSD will store only rules that can be applied to this machine. This means rules that contain one of the following values in sudoHost attribute:If multiple rules have the same priority and only one of the related matching rules applies, this rule will be chosen. If there are multiple rules with the same priority which matches, one is chosen but which one is undefined. To avoid this undefined behavior either use different priorities or make the matching rules more specific e.g. by using distinct <ISSUER> patterns.If no Smartcard is available after the timeout or certificate based authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL is returned.If no Smartcard is available or certificate based authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL is returned.If no rules are configured using 'all_rules' will enable a default rule which enables all certificates suitable for client authentication. This is the same behavior as for the PAM responder if certificate authentication is enabled.If no servers are specified, the back end automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword, _srv_, in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can be discovered using DNS.If service discovery is used in the back end, specifies the domain part of the service discovery DNS query.If set to 0 the user cannot authenticate offline if offline_failed_login_attempts has been reached. Only a successful online authentication can enable offline authentication again.If set to TRUE, the group membership attribute is not requested from the ldap server, and group members are not returned when processing group lookup calls, such as getgrnam 3 or getgrgid 3 . As an effect, getent group $groupname would return the requested group as if it was empty.If set to true the sss_ssh_authorizedkeys will return ssh keys derived from the public key of X.509 certificates stored in the user entry as well. See sss_ssh_authorizedkeys 1 for details.If set to true, the LDAP library would perform a reverse lookup to canonicalize the host name during a SASL bind.If specified the user is asked another N times for a password if authentication fails. Default is 0.If the backend supports sub-domains the value of ldap_sasl_mech is automatically inherited to the sub-domains. If a different value is needed for a sub-domain it can be overwritten by setting ldap_sasl_mech for this sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in sssd.conf 5 for details.If the domain list is not empty users mapped to a given certificate are not only searched in the local domain but in the listed domains as well as long as they are know by SSSD. Domains not know to SSSD will be ignored.If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value debug messages will be sent to stderr.If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the caller.If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to any value plugin will try to resolve all DNS names in kdcinfo file. By default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on first DNS resolving failure.If the files provider is configured to monitor other files it makes sense to set this option to 'False' to avoid inconsistent behavior because in general there would be no other NSS module which can be used as a fallback.If there are no more machines to try, the back end as a whole switches to offline mode, and then attempts to reconnect every 30 seconds.If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated as primary servers and the IPA servers located using the traditional SRV discovery are used as back up serversIf true then SSSD will download every rule that contains a netgroup in sudoHost attribute.If true then SSSD will download every rule that contains a wildcard in sudoHost attribute.If using access_provider = ldap and ldap_access_order = filter (default), this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap, ldap_access_order = filter and this option is not set, it will result in all users being denied access. Use access_provider = permit to change this default behavior. Please note that this filter is applied on the LDAP user entry only and thus filtering based on nested groups may not work (e.g. memberOf attribute on AD entries points only to direct parents). If filtering based on nested groups is required, please see sssd-simple5 .In contrast to the SID based ID mapping which is used if ldap_id_mapping is set to true the allowed ID range for ldap_user_uid_number and ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id can be set to restrict the allowed range for the IDs which are read directly from the server. Sub-domains can then pick other ranges to map IDs.In environments with read-only and read-write KDCs where clients are expected to use the read-only instances for the general operations and only the read-write KDC for config changes like password changes a kpasswdinfo.REALM is used as well to identify read-write KDCs. If this file exists for the given realm the content will be used by the plugin to reply to requests for a kpasswd or kadmin server or for the MIT Kerberos specific master KDC. If the address contains a port number the default KDC port 88 will be used for the latter.In general it is recommended to use attributes from the certificate and add them to special attributes to the LDAP user object. E.g. the 'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute for IPA can be used.In order to change the default of one of the configuration attributes of the sss plugin listed below you will need to create a config section for it, named [sss].Internally the priority is treated as unsigned 32bit integer, using a priority value larger than 4294967295 will cause an error.Invalidate all autofs maps. This option overrides invalidation of specific map if it was also set.Invalidate all cached sudo rules. This option overrides invalidation of specific sudo rule if it was also set.Invalidate all group records. This option overrides invalidation of specific group if it was also set.Invalidate all netgroup records. This option overrides invalidation of specific netgroup if it was also set.Invalidate all service records. This option overrides invalidation of specific service if it was also set.LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identity provider, an encrypted channel is not needed. Please refer to ldap_access_filter config option for more information about using LDAP as an access provider.Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC data can be used to determine the group memberships of a user.Maximal number of secondary slices that is tried when performing mapping from UNIX id to SID.Maximum number of expired rules that can be refreshed at once. If number of expired rules is below threshold, those rules are refreshed with rules refresh mechanism. If the threshold is exceeded a full refresh of sudo rules is triggered instead. This threshold number also applies to IPA sudo command and command group searches.NOTE: It is not possible to mix units. To set the lifetime to one and a half hours please use '90m' instead of '1h30m'.NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, the default Kerberos realm must be set properly in /etc/krb5.confNOTE: This option has no effect on netgroup lookups due to their tendency to include nested netgroups without qualified names. For netgroups, all domains will be searched when an unqualified name is requested.Name of the LDAP attribute containing the email address of the user.Normally when no applicable GPOs are found the users are allowed access. When this option is set to True users will be allowed access only when explicitly allowed by a GPO rule. Otherwise users will be denied access. This can be used to harden security but be careful when using this option because it can deny access even to users in the built-in Administrators group if no GPO rules apply to them.Normally when some group policy containers (AD object) of applicable group policy objects are not readable by SSSD then users are denied access. This option allows to ignore group policy containers and with them associated policies if their attributes in group policy containers are not readable for SSSD.Not all Kerberos implementations support the use of plugins. If sssd_krb5_locator_plugin is not available on your system you have to edit /etc/krb5.conf to reflect your Kerberos setup.Note: Additional secondary slices might be generated when SID is being mapped to UNIX id and RID part of SID is out of range for secondary slices generated so far. If value of ldap_idmap_helper_table_size is equal to 0 then no additional secondary slices are generated.Note: Cron service name may differ depending on Linux distribution used.Note: First, a new connection is established to verify current password by binding as the user that requested password change. If successful, this connection is used to change the password therefore the user must have write access to userPassword attribute.Note: If an email address of a user conflicts with an email address or fully qualified name of another user, then SSSD will not be able to serve those users properly. If for some reason several users need to share the same email address then set this option to a nonexistent attribute name in order to disable user lookup/login by email.Note: It is unsupported to have multiple search bases which reference identically-named objects (for example, groups with the same name in two different search bases). This will lead to unpredictable behavior on client machines.Note: Please be aware that message is only printed for the SSH service unless pam_verbosity is set to 3 (show all messages and debug information).Note: Using the Group Policy Management Editor this value is called "Access this computer from the network" and "Deny access to this computer from the network".Note: Using the Group Policy Management Editor this value is called "Allow log on as a batch job" and "Deny log on as a batch job".Note: this option will have no effect on platforms where inotify is unavailable. On these platforms, polling will always be used.Number of days entries are left in cache after last successful login before being removed during a cleanup of the cache. 0 means keep forever. The value of this parameter must be greater than or equal to offline_credentials_expiration.Overrides data are stored in the SSSD cache. If the cache is deleted, all local overrides are lost. Please note that after the first override is created using any of the following user-add, group-add, user-import or group-import command. SSSD needs to be restarted to take effect. sss_override prints message when a restart is required.PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the selection of devices used for Smartcard authentication. By default SSSD's p11_child will search for a PKCS#11 slot (reader) where the 'removable' flags is set and read the certificates from the inserted token from the first slot found. If multiple readers are connected p11_uri can be used to tell p11_child to use a specific reader.Please note that UID 0 is always allowed to access the PAM responder even in case it is not in the pam_trusted_users list.Please note that although the UID 0 is used as the default it will be overwritten with this option. If you still want to allow the root user to access the InfoPipe responder, which would be the typical case, you have to add 0 to the list of allowed UIDs as well.Please note that although the UID 0 is used as the default it will be overwritten with this option. If you still want to allow the root user to access the PAC responder, which would be the typical case, you have to add 0 to the list of allowed UIDs as well.Please note that disabling Global Catalog support does not disable retrieving users from trusted domains. The SSSD would connect to the LDAP port of trusted domains instead. However, Global Catalog must be used in order to resolve cross-domain group memberships.Please note that if cached_auth_timeout is longer than pam_id_timeout then the back end could be called to handle initgroups.Please note that it is an configuration error if both, simple_allow_users and simple_deny_users, are defined.Please note that this option might not work as expected if the application calling PAM handles the user dialog on its own. A typical example is sshd with .Please note that this option will be only used in fallback attempt when previous attempt using autodetected settings failed.Please note, the home directory from a specific override for the user, either locally (see sss_override 8) or centrally managed IPA id-overrides, has a higher precedence and will be used instead of the value given by override_homedir.Please, note that when this option is set the output format of all commands is always fully-qualified even when using short names for input, for all users but the ones managed by the files provider. In case the administrator wants the output not fully-qualified, the full_name_format option can be used as shown below: full_name_format=%1$s However, keep in mind that during login, login applications often canonicalize the username by calling getpwnam 3 which, if a shortname is returned for a qualified input (while trying to reach a user which exists in multiple domains) might re-route the login attempt into the domain which uses shortnames, making this workaround totally not recommended in cases where usernames may overlap between domains.Regular expression for this domain that describes how to parse the string containing user name and domain into these components. The "domain" can match either the SSSD configuration domain name, or, in the case of IPA trust subdomains and Active Directory domains, the flat (NetBIOS) name of the domain.Resolving a server to connect to can be as simple as running a single DNS query or can involve several steps, such as finding the correct site or trying out multiple host names in case some of the configured servers are not reachable. The more complex scenarios can take some time and SSSD needs to balance between providing enough time to finish the resolution process but on the other hand, not trying for too long before falling back to offline mode. If the SSSD debug logs show that the server resolution is timing out before a live server is contacted, you can consider changing the time outs.SSSD can handle views and overrides which are offered by FreeIPA 4.1 and later version. Since all paths and objectclasses are fixed on the server side there is basically no need to configure anything. For completeness the related options are listed here with their default values. SSSD is used to provide desired service name and to validate the user's credentials using GSSAPI calls. If the service ticket is already present in the Kerberos credentials cache or if user's ticket granting ticket can be used to get the correct service ticket then the user will be authenticated.SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a special hardcoded meaning. Since the generic users and groups related to those Well-Known SIDs have no equivalent in a Linux/UNIX environment no POSIX IDs are available for those objects.SSSD uses different kinds of mechanisms with more or less complex LDAP filters to keep the cached sudo rules up to date. The default configuration is set to values that should satisfy most of our users, but the following paragraphs contain few tips on how to fine- tune the configuration to your requirements.Similar to --genconf, but only refresh a single section from the configuration file. This option is useful mainly to be called from systemd unit files to allow socket-activated responders to refresh their configuration without requiring the administrator to restart the whole SSSD.Since some utilities allow to modify SID based access control information with the help of a name instead of using the SID directly SSSD supports to look up the SID by the name as well. To avoid collisions only the fully qualified names can be used to look up Well-Known SIDs. As a result the domain names NULL AUTHORITY, WORLD AUTHORITY, LOCAL AUTHORITY, CREATOR AUTHORITY, NT AUTHORITY and BUILTIN should not be used as domain names in sssd.conf.Space separated list of IPv4 or IPv6 host/network addresses that should be used to filter the rules.Space separated list of hostnames or fully qualified domain names that should be used to filter the rules.Specifies a list of configuration parameters that should be inherited by a subdomain. Please note that only selected parameters can be inherited. Currently the following options can be inherited:Specifies a timeout (in seconds) that a connection to an LDAP server will be maintained. After this time, the connection will be re-established. If used in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. the TGT lifetime) will be used.Specifies acceptable cipher suites. Typically this is a colon separated list. See ldap.conf 5 for format.Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries for invalid database entries, like nonexistent ones) before asking the back end again.Specifies for how many seconds nss_sss should keep local users and groups in negative cache before trying to look it up in the back end again. Setting the option to 0 disables this feature.Specifies for how many seconds should the autofs responder negative cache hits (that is, queries for invalid map entries, like nonexistent ones) before asking the back end again.Specifies how many seconds SSSD has to wait before triggering a background refresh task which will refresh all expired or nearly expired records.Specifies if the SSSD should instruct the Kerberos libraries what realm and which KDCs to use. This option is on by default, if you disable it, you need to configure the Kerberos library using the krb5.conf 5 configuration file.Specifies if the host and user principal should be canonicalized. This feature is available with MIT Kerberos 1.7 and later versions.Specifies if the host principal should be canonicalized when connecting to LDAP server. This feature is available with MIT Kerberos >= 1.7Specifies the comma-separated list of UID values or user names that are allowed to access the InfoPipe responder. User names are resolved to UIDs at startup.Specifies the comma-separated list of UID values or user names that are allowed to access the PAC responder. User names are resolved to UIDs at startup.Specifies the comma-separated list of UID values or user names that are allowed to run PAM conversations against trusted domains. Users not included in this list can only access domains marked as public with pam_public_domains. User names are resolved to UIDs at startup.Specifies the file that contains certificates for all of the Certificate Authorities that sssd will recognize.Specifies to use subdomains realms for the authentication of users from trusted domains. This option can be set to 'true' if enterprise principals are used with upnSuffixes which are not known on the parent domain KDCs. If the option is set to 'true' SSSD will try to send the request directly to a KDC of the trusted domain the user is coming from.Specify file to read user's password from. (if not specified password is prompted for)Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, this represents the Kerberos principal used for authentication to the directory. This option can either contain the full principal (for example host/myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By default, the value is not set and the following principals are used: If none of them are found, the first principal in keytab is returned.Specify the number of group members that must be missing from the internal cache in order to trigger a dereference lookup. If less members are missing, they are looked up individually.SystemTap Probe points have been added into various locations in SSSD code to assist in troubleshooting and analyzing performance related issues.The full refresh simply deletes all sudo rules stored in the cache and replaces them with all rules that are stored on the server. This is used to keep the cache consistent by removing every rule which was deleted from the server. However, full refresh may produce a lot of traffic and thus it should be run only occasionally depending on the size and stability of the sudo rules.The rules refresh ensures that we do not grant the user more permission than defined. It is triggered each time the user runs sudo. Rules refresh will find all rules that apply to this user, check their expiration time and redownload them if expired. In the case that any of these rules are missing on the server, the SSSD will do an out of band full refresh because more rules (that apply to other users) may have been deleted.The AD provider automatically sets "fallback_homedir = /home/%d/%u" to provide personal home directories for users without the homeDirectory attribute. If your AD Domain is properly populated with Posix attributes, and you want to avoid this fallback behavior, you can explicitly set "fallback_homedir = %o".The AD provider can be used to get user information and authenticate users from trusted domains. Currently only trusted domains in the same forest are recognized. In addition servers from trusted domains are always auto-discovered.The AD provider enables SSSD to use the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with optimizations for Active Directory environments. The AD provider accepts the same options used by the sssd-ldap and sssd-krb5 providers with some exceptions. However, it is neither necessary nor recommended to set these options.The AD provider is a back end used to connect to an Active Directory server. This provider requires that the machine be joined to the AD domain and a keytab is available. Back end communication occurs over a GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD provider and will be superseded by Kerberos usage.The IPA provider enables SSSD to use the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with optimizations for IPA environments. The IPA provider accepts the same options used by the sssd-ldap and sssd-krb5 providers with some exceptions. However, it is neither necessary nor recommended to set these options.The IPA provider is a back end used to connect to an IPA server. (Refer to the freeipa.org web site for information about IPA servers.) This provider requires that the machine be joined to the IPA domain; configuration is almost entirely self-discovered and obtained directly from the server.The Kerberos locator plugin sssd_krb5_locator_plugin is used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such a plugin to guide all Kerberos clients on a system to a single KDC. In general it should not matter to which KDC a client process is talking to. But there are cases, e.g. after a password change, where not all KDCs are in the same state because the new data has to be replicated first. To avoid unexpected authentication failures and maybe even account lockings it would be good to talk to a single KDC as long as possible.The LDAP attribute that corresponds to the user name (or UID, group name or user's netgroup)The LDAP attribute that corresponds to the user name that commands may be run as.The PAC responder works together with the authorization data plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the PAC data during a GSSAPI authentication to the PAC responder. The sub-domain provider collects domain SID and ID ranges of the domain the client is joined to and of remote trusted domains from the local domain controller. If the PAC is decoded and evaluated some of the following operations are done:The SSSD POSIX-type domain the application domain inherits all settings from. The application domain can moreover add its own settings to the application settings that augment or override the sibling domain settings.The TTL to apply to the client DNS record when updating it. If dyndns_update is false this has no effect. This will override the TTL serverside if set by an administrator.The administrator might want to use the SSSD local users instead of traditional UNIX users in cases where the group nesting (see sss_groupadd 8 ) is needed. The local users are also useful for testing and development of the SSSD without having to deploy a full remote server. The sss_user* and sss_group* tools use a local LDB storage to store users and groups.The capitalized version of these names are used as domain names when returning the fully qualified name of a Well-Known SID.The cleartext password is read from standard input or entered interactively. The obfuscated password is put into ldap_default_authtok parameter of a given SSSD domain and the ldap_default_authtok_type parameter is set to obfuscated_password. Refer to sssd-ldap 5 for more details on these parameters.The configuration snippets from conf.d have higher priority than sssd.conf and will override sssd.conf when conflicts occur. If several snippets are present in conf.d, then they are included in alphabetical order (based on locale). Files included later have higher priority. Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help visualize the priority (higher number means higher priority).The current use case are login managers which can monitor a Smartcard reader for card events. In case a Smartcard is inserted the login manager will call a PAM stack which includes a line like In this case SSSD will try to determine the user name based on the content of the Smartcard, returns it to pam_sss which will finally put it on the PAM stack.The detailed instructions for configuration of sudo_provider are in the manual page sssd-sudo 5 . There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap 5 .The failover feature allows back ends to automatically switch to a different server if the current server fails.The failover mechanism distinguishes between a machine and a service. The back end first tries to resolve the hostname of a given machine; if this resolution attempt fails, the machine is considered offline. No further attempts are made to connect to this machine for any other service. If the resolution attempt succeeds, the back end tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the back end automatically switches over to the next service. The machine is still considered online and might still be tried for another service.The filter must be a valid LDAP search filter as specified by http://www.ietf.org/rfc/rfc2254.txtThe following example illustrates the use of an application domain. In this setup, the POSIX domain is connected to an LDAP server and is used by the OS through the NSS responder. In addition, the application domain also requests the telephoneNumber attribute, stores it as the phone attribute in the cache and makes the phone attribute reachable through the D-Bus interface.The following krb5 options can be configured in the [kcm] section to control renewal behavior, these options are described in detail below The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. No database is required in this case as the mapping is done by SSSD.The list of mappings is given as a comma-separated list of pairs username:primary where username is a UNIX user name and primary is a user part of a kerberos principal. This mapping is used when user is authenticating using auth_provider = krb5.The main purpose of this option is to let SSSD determine the user name based on additional information, e.g. the certificate from a Smartcard.The message is read from the file pam_sss_pw_reset_message.LOC where LOC stands for a locale string returned by setlocale3 . If there is no matching file the content of pam_sss_pw_reset_message.txt is displayed. Root must be the owner of the files and only root may have read and write permissions while all other users must have only read permissions.The plugin reads the information about the KDCs of a given realm from a file called kdcinfo.REALM. The file should contain one or more DNS names or IP addresses either in dotted-decimal IPv4 notation or the hexadecimal IPv6 notation. An optional port number can be added to the end separated with a colon, the IPv6 address has to be enclosed in squared brackets in this case as usual. Valid entries are:The rules are processed by priority while the number '0' (zero) indicates the highest priority. The higher the number the lower is the priority. A missing value indicates the lowest priority. The rules processing is stopped when a matched rule is found and no further rules are checked.The service discovery feature allows back ends to automatically find the appropriate servers to connect to using a special DNS query. This feature is not supported for backup servers.The sssd-kcm service is typically socket-activated systemd 1 . To generate debug logs, add the following either to the /etc/sssd/sssd.conf file directly or as a configuration snippet to /etc/sssd/conf.d/ directory: Then, restart the sssd-kcm service: Finally, run whatever use-case doesn't work for you. The KCM logs will be generated at /var/log/sssd/sssd_kcm.log. It is recommended to disable the debug logs when you no longer need the debugging to be enabled as the sssd-kcm service can generate quite a large amount of debugging information.The user is not known to the authentication service or the GSSAPI authentication is not supported.The validation is the benefit of using X.509 certificates instead of SSH keys directly because e.g. it gives a better control of the lifetime of the keys. When the ssh client is configured to use the private keys from a Smartcard with the help of a PKCS#11 shared library (see ssh 1 for details) it might be irritating that authentication is still working even if the related X.509 certificate on the Smartcard is already expired because neither ssh nor sshd will look at the certificate at all.There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap 5 and "sudo_*" in sssd.conf 5 .These files are searched in the directory /etc/sssd/customize/DOMAIN_NAME/. If no matching file is present a generic message is displayed.This attribute is currently only used by the AD provider to determine if a group is a domain local groups and has to be filtered out for trusted domains.This option can be used to specify which extended key usage the certificate should have. The following value can be used in a comma separated list:This option can be used to specify which key usage values the certificate should have. The following values can be used in a comma separated list:This option should be False in most IPA deployments as the IPA server generates the PTR records automatically when forward records are changed.This option specifies the DN of password policy entry on LDAP server. Please note that absence of this option in sssd.conf in case of enabled account lockout checking will yield access denied as ppolicy attributes on LDAP server cannot be checked properly.This option was named krb5_kdcip in earlier releases of SSSD. While the legacy name is recognized for the time being, users are advised to migrate their config files to use krb5_server instead.This parameter controls the value of the random offset used for the above equation. Final random_offset value will be random number in range:This parameter will replace spaces (space bar) with the given character for user and group names. e.g. (_). User name "john doe" will be "john_doe" This feature was added to help compatibility with shell scripts that have difficulty handling spaces, due to the default field separator in the shell.This should avoid that the short PINs of a PIN based 2FA scheme are saved in the cache which would make them easy targets for brute-force attacks.This should be preferred to read user specific data from the certificate like e.g. an email address and search for it in the LDAP server. The reason is that the user specific data in LDAP might change for various reasons would break the mapping. On the other hand it would be hard to break the mapping on purpose for a specific user.This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well.This template will add the Kerberos principal which is taken either from the SAN used by pkinit or the one used by AD. The 'short_name' component represents the first part of the principal before the '@' sign.This template will add the full issuer DN converted to a string according to RFC 4514. If X.500 ordering (most specific RDN comes last) an option with the '_x500' prefix should be used.This template will add the string which is stored in the rfc822Name component of the SAN, typically an email address. The 'short_name' component represents the first part of the address before the '@' sign.This template will add the whole DER encoded certificate as a string to the search filter. Depending on the conversion option the binary certificate is either converted to an escaped hex sequence '\xx' or base64. The escaped hex sequence is the default and can e.g. be used with the LDAP attribute 'userCertificate;binary'.Time in seconds to tell how long would SSSD try to resolve single DNS query (e.g. resolution of a hostname or an SRV record) before trying the next hostname or discovery domain.Timeout in seconds between heartbeats for this service. This is used to ensure that the process is alive and capable of answering requests. Note that after three missed heartbeats the process will terminate itself.To allow authentication with Smartcards and certificates SSSD must be able to map certificates to users. This can be done by adding the full certificate to the LDAP object of the user or to a local override. While using the full certificate is required to use the Smartcard authentication feature of SSH (see sss_ssh_authorizedkeys 8 for details) it might be cumbersome or not even possible to do this for the general case where local services use PAM for authentication.To be compatible with the usage of MIT Kerberos this option will match the Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:Principal> does.To disable the creation of the configuration snippets set the parameter to 'none'.To enable service discovery ldap_chpass_dns_service_name must be set.To enable this the ssh_use_certificate_keys option must be set to true (default) in the [ssh] section of sssd.conf. If the user entry contains certificates (see ldap_user_certificate in sssd-ldap 5 for details) or there is a certificate in an override entry for the user (see sss_override 8 or sssd-ipa 5 for details) and the certificate is valid SSSD will extract the public key from the certificate and convert it into the format expected by sshd.To list all available commands run sssctl without any parameters. To print help for selected command run sssctl COMMAND --help.To log required bitmask debug levels, simply add their numbers together as shown in following examples:To make the configuration simple and reduce the amount of configuration options the files provider has some special properties:To make the mapping more flexible mapping and matching rules were added to SSSD (see sss-certmap 5 for details).Treat user and group names as case sensitive. Possible option values are: Try to use certificate based authentication, i.e. authentication with a Smartcard or similar devices. If a Smartcard is available and the service is allowed for Smartcard authentication the user will be prompted for a PIN and the certificate based authentication will continueUnsigned integer value defining the priority of the rule. The higher the number the lower the priority. 0 stands for the highest priority while 4294967295 is the lowest.When SSSD switches to offline mode the amount of time before it tries to go back online will increase based upon the time spent disconnected. By default SSSD uses incremental behaviour to calculate delay in between retries. So, the wait time for a given retry will be longer than the wait time for the previous ones. After each unsuccessful attempt to go online, the new interval is recalculated by the following:When a user or group is looked up by name in the proxy provider, a second lookup by ID is performed to "canonicalize" the name in case the requested name was an alias. Setting this option to true would cause the SSSD to perform the ID lookup from cache for performance reasons.When password changing enforce the module to set the new password to the one provided by a previously stacked password module.Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server, insecure updates can be sent by setting this option to 'none'.While the first two correspond to the general default the third one is introduced to allow easy integration of users from Windows domains.While updating the internal data SSSD will return an error and let the client continue with the next NSS module. This helps to avoid delays when using the default system files /etc/passwd and /etc/group and the NSS configuration has 'sss' before 'files' for the 'passwd' and 'group' maps.With the growing number of authentication methods and the possibility that there are multiple ones for a single user the heuristic used by pam_sss to select the prompting might not be suitable for all use cases. The following options should provide a better flexibility here.With this a part or the whole issuer name of the certificate can be matched. All comments for <SUBJECT> apply her as well.With this a part or the whole subject name of the certificate can be matched. For the matching POSIX Extended Regular Expression syntax is used, see regex(7) for details.With this option a client side evaluation of access control attributes can be enabled.With this parameter the PAM certificate verification can be tuned with a comma separated list of options that override the certificate_verification value in [sssd] section. Supported options are the same of certificate_verification.With this parameter the certificate verification can be tuned with a comma separated list of options. Supported options are: [General] Verbosity = 2 # domain must be synced between NFSv4 server and clients # Solaris/Illumos/AIX use "localdomain" as default! Domain = default [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody [Translation] Method = sss boolean value, if True there will be only a single prompt using the value of first_prompt where it is expected that both factors are entered as a single string. Please note that both factors have to be entered here, even if the second factor is optional.fully qualified user name (user@domain)get OpenSSH authorized keysif maprule is not set the RULE_NAME name is assumed to be the name of the matching userlibkrb5 will search the locator plugin in the libkrb5 sub-directory of the Kerberos plugin directory, see plugin_base_dir in krb5.conf 5 for details. The plugin can only be disabled by removing the plugin file. There is no option in the Kerberos configuration to disable it. But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to disable the plugin for individual commands. Alternatively the SSSD option krb5_use_kdcinfo=False can be used to not generate the data needed by the plugin. With this the plugin is still called but will provide no data to the caller so that libkrb5 can fall back to other methods defined in krb5.conf.user nameProject-Id-Version: sssd Report-Msgid-Bugs-To: FULL NAME PO-Revision-Date: 2022-04-12 22:04+0000 Last-Translator: Anthony Harrington Language-Team: English (United Kingdom) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Launchpad-Export-Date: 2024-09-02 20:51+0000 X-Generator: Launchpad (build 1b1ed1ad2dbfc71ee62b5c5491c975135a771bf0) 3. Authentication does not work and syslog contains "No Kerberos credentials available": You don't have any credentials that can be used to obtain the required service ticket. Use kinit, or authenticate over SSSD to acquire those credentials.4. Authentication does not work and SSSD sssd-pam log contains "User with UPN [$UPN] was not found." or "UPN [$UPN] does not match target user [$username].": You are using credentials that can not be mapped to the user that is being authenticated. Try to use kswitch to select a different principal, make sure you authenticated with SSSD or consider disabling .sss_override enables to create a client-side view and allows to change selected values of specific users and groups. This change takes effect only on local machine.NOTE: In order to have this feature working as expected, SSSD must be running as "root" and not as an unprivileged user.ad: use the value of the 32bit field ldap_user_ad_user_account_control and allow access if the second bit is not set. If the attribute is missing, access is granted. Also the expiration time of the account is checked.sssd.conf must be a regular file, owned by root and only root may read from, or write to, the file. It's important to note that on platforms where systemd is supported, there's no need to add the "sudo" provider to the list of services, as it became optional. However, sssd-sudo.socket must be enabled instead. joe and dick are UNIX usernames and juser and richard are primaries of kerberos principals. For user joe resp. dick SSSD will try to kinit as juser@REALM resp. richard@REALM.A printf 3 -compatible format that describes how to compose a fully qualified name from username and domain name components.A comma-separated list of strings which allows to remove (filter) data sent by the PAM responder to pam_sss PAM module. There are different kind of responses sent to pam_sss e.g. messages displayed to the user or environment variables which should be set by pam_sss.A comma-separated list of users which should have session recording enabled. Matches usernames as returned by NSS. I.e. after the possible space replacement, case changes, etc.A mapping and matching rule can be added to the SSSD configuration in a section on its own with a name like [certmap/DOMAIN_NAME/RULE_NAME]. In this section, the following options are allowed:A possible work-around for long running processes which are looking up users and groups only at startup or very rarely is to run them with the environment variable SSS_NSS_USE_MEMCACHE set to "NO" so that they won't use the memory cache at all and not map the memory cache file into the memory. In general, a better solution is to tune the cache timeout parameters so that they meet the local expectations and calling sss_cache is not needed.A special case is long running processes which are doing user or group lookups only at startup, e.g. to determine the name of the user the process is running as. For those lookups, the memory cache file is mapped into the memory of the process. But since there will be no further lookups, this process would never detect if the memory cache file was invalidated and hence it will be kept in memory and will occupy disk space until the process stops. As a result, calling sss_cache might increase the disk usage because old memory cache files cannot be removed from the disk because they are still mapped by long running processes.Add microseconds to the timestamp in debug messages. If journald is enabled for SSSD debug logging, this option is ignored.The only configuration that is needed on the SSSD side is to extend the list of services with "sudo" in [sssd] section of sssd.conf 5 . To speed up the LDAP lookups, you can also set search base for sudo rules using ldap_sudo_search_base option.Always prompt the user for credentials. With this option, credentials requested by other PAM modules, typically a password, will be ignored and pam_sss will prompt for credentials again. Based on the pre-auth reply by SSSD, pam_sss might prompt for a password, a Smartcard PIN or other credentials.Before performing access control, SSSD applies group policy security filtering on the GPOs. For every single user login, the applicability of the GPOs that are linked to the host is checked. In order for a GPO to apply to a user, the user, or at least one of the groups to which it belongs, must have the following permissions on the GPO:Both a username and a uid can be used but the user should be a local one, i.e. accessible via files service of nsswitch.conf.By default, the ssh responder will use all available certificate matching rules to filter the certificates, so that ssh keys are only derived from the matching ones. With this option, the used rules can be restricted with a comma-separated list of mapping and matching rule names. All other rules will be ignored.By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see the ID MAPPING section below. If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set If POSIX attributes should be used, it is recommended for performance reasons that the attributes are also replicated to the Global Catalogue. If POSIX attributes are replicated, SSSD will attempt to locate the domain of a requested numerical ID with the help of the Global Catalogue and only search that domain. In contrast, if POSIX attributes are not replicated to the Global Catalogue, SSSD must search all the domains in the forest sequentially. Please note that the cache_first option might be also helpful in speeding up domainless searches. Note that if only a subset of POSIX attributes is present in the Global Catalogue, the non-replicated attributes are currently not read from the LDAP port.By default, the SSSD connects to the Global Catalogue first to retrieve users from trusted domains and uses the LDAP port to retrieve group memberships or as a fallback. Disabling this option makes the SSSD only connect to the LDAP port of the current AD server.Certain option defaults do not match their respective backend provider defaults. These option names and IPA provider-specific defaults are listed below:Changes the behaviour of the ID-mapping algorithm to behave more similarly to winbind's idmap_autorid algorithm.Comma-separated list of PAM services that are allowed to try GSSAPI authentication using pam_sss_gss.so module.Comma-separated list of access control options. Allowed values are:Comma-separated list of authentication indicators required to be present in a Kerberos ticket to access a PAM service that is allowed to try GSSAPI authentication using pam_sss_gss.so module.Comma-separated list of domain names the rule should be applied. By default, a rule is only valid in the domain configured in sssd.conf. If the provider supports subdomains, this option can be used to add the rule to subdomains as well.Comma-separated list of domains and subdomains representing the lookup order that will be followed. The list doesn't have to include all possible domains as the missing domains will be looked up based on the order they're presented in the domains configuration option. The subdomains which are not listed as part of lookup_order will be looked up in a random order for each parent domain.Comma-separated list of groups that are allowed to log in. This applies only to groups within this SSSD domain. Local groups are not evaluated.Comma-separated list of groups that are explicitly denied access. This applies only to groups within this SSSD domain. Local groups are not evaluated.Comma-separated list of services that are started when sssd itself starts. The services' list is optional on platforms where systemd is supported, as they will either be socket or D-Bus activated when needed. Comma-separated list of users who are allowed to log in.Comma-separated list of users who are explicitly denied access.Configuring sudo with the SSSD backendCurrently SSSD basically only supports LDAP to lookup user information (the exception is the proxy provider which is not of relevance here). Because of this, the mapping rule is based on LDAP search filter syntax with templates to add certificate content to the filter. It is expected that the filter will only contain the specific data needed for the mapping and that the caller will embed it in another filter to do the actual search. Because of this, the filter string should start and stop with '(' and ')' respectively.Currently-supported debug levels:Default for the AD and IPA provider: (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) which allows three different styles for usernames:Default regular expression that describes how to parse the string containing username and domain into these components.Default: True on platforms where inotify is supported. False on other platforms.Different configuration options are tunable for a trusted domain, depending on whether you are configuring SSSD on an IPA server or an IPA client.Directory in which to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700.Do a binary match with the base64 encoded blob against all otherName SAN components. With this option, it is possible to match against custom otherName components with special encodings which could not be treated as strings.Do certificate based authentication, i.e. authentication with a Smartcard or similar devices. If a Smartcard is not available, the user will be prompted to insert one. SSSD will wait for a Smartcard until the timeout defined by p11_wait_for_card_timeout passed, please see sssd.conf 5 for details.Enable certificate based Smartcard authentication. Since this requires additional communication with the Smartcard which will delay the authentication process, this option is disabled by default.Failover timeouts and tuningThe following authentication indicators are supported by IPA Kerberos deployments:The following options are usable in more than one configuration section.For each failover-enabled config option, two variants exist: primary and backup. The idea is that servers in the primary list are preferred and backup servers are only searched if no primary servers can be reached. If a backup server is selected, a timeout of 31 seconds is set. After this timeout, SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server.For example, 10:0 means that up to 10 primary servers will be handed to sssd_krb5_locator_plugin 8 but no backup servers.For more details about the options, see sssd.conf 5.For more details about these options, see their individual description in the manual page.For the matching, the subject name stored in the certificate in DER encoded ASN.1 is converted into a string according to RFC 4514. This means the most specific name component comes first. Please note that not all possible attribute names are covered by RFC 4514. The names included are 'CN', 'L', 'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might be shown differently on different platform and by different tools. To avoid confusion, those attribute names are best not used or covered by a suitable regular-expression.Furthermore, enabling enumeration may increase the time necessary to detect network disconnection, as longer timeouts are required to ensure that enumeration lookups are completed successfully. For more information, refer to the man pages for the specific id_provider in use.How big a credential cache can be per ccache. Each service ticket accounts into this quota.How long SSSD should try to resolve a failover service. This service resolution internally might include several steps, such as resolving DNS SRV queries or locating the site.How many credential caches the KCM database allows for all users.How many credential caches the KCM database allows per UID. This is equivalent to with how many principals you can kinit.How many seconds nss_sss shouldcache enumerations for (requests for info about all users)How many seconds nss_sss should consider entries valid for before asking the backend againHow many seconds nss_sss should consider group entries valid for before asking the backend againHow many seconds nss_sss should consider netgroup entries valid for before asking the backend againHow many seconds nss_sss should consider service entries valid for before asking the backend againHow many seconds nss_sss should consider user entries valid for before asking the backend againHow many seconds sudo should consider rules valid for before asking the backend againHow many seconds the autofs service should consider automounter maps valid for before asking the backend againHow many seconds to keep a host ssh key after refresh i.e. how long to cache the host key for.Number of seconds pam_sss will wait for p11_child to finish.How often should the backend perform periodic DNS update in addition to the automatic update performed when the backend goes online. This option is optional and applicable only when dyndns_update is true.How often should the backend perform periodic DNS update in addition to the automatic update performed when the backend goes online. This option is optional and applicable only when dyndns_update is true. Note that the lowest possible value is 60 seconds and any value provided less than 60 will default back to it.If 2-Factor-Authentication (2FA) is used and credentials should be saved, this value determines the minimal length the first authentication factor (long term password) must have to be saved as SHA512 hash into the cache.If is set, the entered password is put on the stack for other PAM modules to use.If Smartcard authentication is required, how many extra seconds in addition to p11_child_timeout the PAM responder should wait until a Smartcard is inserted.If True, SSSD will require that the Kerberos user principal that successfully authenticated through GSSAPI be able to be associated with the user who is being authenticated. Authentication will fail if the check fails.If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists, SSSD's PAM module pam_sss will ask SSSD to figure out which authentication methods are available for the user trying to log in. Based on the results, pam_sss will prompt the user for appropriate credentials.If enabled, SSSD will store only rules that can be applied to this machine. This refers to rules that contain one of the following values in sudoHost attribute:If multiple rules have the same priority and only one of the related matching rules applies, this rule will be chosen. If there are multiple rules with the same priority which matches, one is chosen but which one is undefined. To avoid this undefined behaviour, either use different priorities or make the matching rules more specific e.g. by using distinct <ISSUER> patterns.If no Smartcard is available after the timeout or certificate based authentication is not allowed for the current service, PAM_AUTHINFO_UNAVAIL is returned.If no Smartcard is available or certificate based authentication is not allowed for the current service, PAM_AUTHINFO_UNAVAIL is returned.If no rules are configured using 'all_rules' will enable a default rule which enables all certificates suitable for client authentication. This is the same behaviour as for the PAM responder if certificate authentication is enabled.If no servers are specified, the backend automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword, _srv_, in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can be discovered using DNS.If service discovery is used in the backend, specifies the domain part of the service discovery DNS query.If set to 0, the user cannot authenticate offline if offline_failed_login_attempts has been reached. Only a successful online authentication can enable offline authentication again.If set to TRUE, the group membership attribute is not requested from the ldap server, and group members are not returned when processing group lookup calls, such as getgrnam 3 or getgrgid 3 . As an effect, getent group $groupname would return the requested group as if it were empty.If set to true, the sss_ssh_authorizedkeys will return ssh keys derived from the public key of X.509 certificates stored in the user entry as well. See sss_ssh_authorizedkeys 1 for details.If set to true, the LDAP library would perform a reverse lookup to canonicalise the host name during a SASL bind.If specified, the user is asked another N times for a password if authentication fails. Default is 0.If the backend supports sub-domains, the value of ldap_sasl_mech is automatically inherited to the sub-domains. If a different value is needed for a sub-domain, it can be overwritten by setting ldap_sasl_mech for this sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in sssd.conf 5 for details.If the domain list is not empty, users mapped to a given certificate are not only searched in the local domain but in the listed domains as well, so long as they are known by SSSD. Domains not known to SSSD will be ignored.If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value, debug messages will be sent to stderr.If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value, the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the caller.If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to any value, the plugin will try to resolve all DNS names in kdcinfo file. By default, the plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on first DNS resolving failure.If the files provider is configured to monitor other files, it makes sense to set this option to 'False' to avoid inconsistent behaviour because in general there would be no other NSS module which could be used as a fallback.If there are no more machines to try, the backend as a whole switches to offline mode, and then attempts to reconnect every 30 seconds.If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated as primary servers and the IPA servers located using the traditional SRV discovery are used as backup serversIf true, then SSSD will download every rule that contains a netgroup in sudoHost attribute.If true, then SSSD will download every rule that contains a wildcard in sudoHost attribute.If using access_provider = ldap and ldap_access_order = filter (default), this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap, ldap_access_order = filter and this option is not set, it will result in all users being denied access. Use access_provider = permit to change this default behaviour. Please note that this filter is applied on the LDAP user entry only and thus filtering based on nested groups may not work (e.g. memberOf attribute on AD entries points only to direct parents). If filtering based on nested groups is required, please see sssd-simple5 .In contrast to the SID based ID mapping which is used if ldap_id_mapping is set to true, the allowed ID range for ldap_user_uid_number and ldap_group_gid_number is unbound. This might lead to ID collisions in a setup with sub/trusted-domains. To avoid collisions, ldap_min_id and ldap_max_id can be set to restrict the allowed range for the IDs which are read directly from the server. Sub-domains can then pick other ranges to map IDs.In environments with read-only and read-write KDCs, where clients are expected to use the read-only instances for the general operations and only the read-write KDC for config changes like password changes, a kpasswdinfo.REALM is used as well to identify read-write KDCs. If this file exists for the given realm, the content will be used by the plugin to reply to requests for a kpasswd or kadmin server, or for the MIT Kerberos specific master KDC. If the address contains a port number, the default KDC port 88 will be used for the latter.In general, it is recommended to use attributes from the certificate and add them to special attributes to the LDAP user object. E.g. the 'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute for IPA can be used.In order to change the default of one of the configuration attributes of the sss plugin listed below, you will need to create a config section for it, named [sss].Internally, the priority is treated as unsigned 32bit integer, and using a priority value larger than 4294967295 will cause an error.Invalidate all autofs maps. This option overrides invalidation of a specific map if it was also set.Invalidate all cached sudo rules. This option overrides invalidation of a specific sudo rule if it was also set.Invalidate all group records. This option overrides invalidation of a specific group if it was also set.Invalidate all netgroup records. This option overrides invalidation of a specific netgroup if it was also set.Invalidate all service records. This option overrides invalidation of a specific service if it was also set.LDAP backend supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identity provider, an encrypted channel is not needed. Please refer to ldap_access_filter config option for more information about using LDAP as an access provider.Lifetime of the PAC entry, in seconds. As long as the PAC is valid, the PAC data can be used to determine the group memberships of a user.Maximum number of secondary slices to try when performing mapping from UNIX id to SID.Maximum number of expired rules that can be refreshed at once. If number of expired rules is below threshold, those rules are refreshed with rules refresh mechanism. If the threshold is exceeded, a full refresh of sudo rules is triggered instead. This threshold number also applies to IPA sudo command and command group searches.NOTE: It is not possible to mix units. To set the lifetime to one and a half hours, please use '90m' instead of '1h30m'.NOTE: On older systems (such as RHEL 5), for this behaviour to work reliably, the default Kerberos realm must be set properly in /etc/krb5.confNOTE: This option has no effect on netgroup lookups, due to their tendency to include nested netgroups without qualified names. For netgroups, all domains will be searched when an unqualified name is requested.Name of the LDAP attribute containing the e-mail address of the user.Normally, when no applicable GPOs are found, the users are allowed access. When this option is set to True, users will be allowed access only when explicitly allowed by a GPO rule. Otherwise, users will be denied access. This can be used to harden security, but be careful when using this option because it can deny access even to users in the built-in Administrators group if no GPO rules apply to them.Normally when some group policy containers (AD object) of applicable group policy objects are not readable by SSSD then users are denied access. This option allows to ignore group policy containers, and with them associated policies, if their attributes in group policy containers are not readable for SSSD.Not all Kerberos implementations support the use of plugins. If sssd_krb5_locator_plugin is not available on your system, you have to edit /etc/krb5.conf to reflect your Kerberos setup.Note: Additional secondary slices might be generated when both the SID is being mapped to UNIX id and the RID part of SID is out of range for secondary slices generated so far. If value of ldap_idmap_helper_table_size is equal to 0 then no additional secondary slices are generated.Note: Cron service name may differ, depending on Linux distribution used.Note: First, a new connection is established to verify current password by binding as the user that requested password change. If successful, this connection is used to change the password, therefore the user must have write access to userPassword attribute.Note: If an e-mail address of a user conflicts with an e-mail address or fully qualified name of another user, then SSSD will not be able to serve those users properly. If for some reason several users need to share the same e-mail address then set this option to a nonexistent attribute name in order to disable user lookup/login by e-mail.Note: It is unsupported to have multiple search bases which reference identically-named objects (for example, groups with the same name in two different search bases). This will lead to unpredictable behaviour on client machines.Note: Please be aware that the message is only printed for the SSH service when pam_verbosity is not set to 3 (show all messages and debug information).Note: Using the Group Policy Management Editor, this value is called "Access this computer from the network" and "Deny access to this computer from the network".Note: Using the Group Policy Management Editor, this value is called "Allow log on as a batch job" and "Deny log on as a batch job".Note: This option will have no effect on platforms where inotify is unavailable. On these platforms, polling will always be used.Number of days that entries are left in cache after last successful login before being removed during a cache cleanup. 0 means keep forever. The value of this parameter must be greater than or equal to offline_credentials_expiration.Overrides data are stored in the SSSD cache. If the cache is deleted, all local overrides are lost. Please note that after the first override is created, using any of the following user-add, group-add, user-import or group-import command. SSSD needs to be restarted to take effect. sss_override prints message when a restart is required.PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the selection of devices used for Smartcard authentication. By default, SSSD's p11_child will search for a PKCS#11 slot (reader) where the 'removable' flags is set and read the certificates from the inserted token from the first slot found. If multiple readers are connected, p11_uri can be used to tell p11_child to use a specific reader.Please note that UID 0 is always allowed to access the PAM responder, even when it is not in the pam_trusted_users list.Please note that although the UID 0 is used as the default, it will be overwritten with this option. If you still want to allow the root user to access the InfoPipe responder, which would be the typical case, you have to add 0 to the list of allowed UIDs as well.Please note that although the UID 0 is used as the default, it will be overwritten with this option. If you still want to allow the root user to access the PAC responder, which would be the typical case, you have to add 0 to the list of allowed UIDs as well.Please note that disabling Global Catalogue support does not disable retrieving users from trusted domains. The SSSD would connect to the LDAP port of trusted domains instead. However, Global Catalogue must be used in order to resolve cross-domain group memberships.Please note that if cached_auth_timeout is longer than pam_id_timeout then the backend could be called to handle initgroups.Please note that it is a configuration error if both simple_allow_users and simple_deny_users are defined.Please note that this option might not work as expected if the application calling PAM handles the user dialogue on its own. A typical example is sshd with .Please note that this option will be only used in fallback attempt when a previous attempt using autodetected settings failed.Please note that the home directory from a specific override for the user, whether locally (see sss_override 8) or centrally managed IPA id-overrides, has a higher precedence and will be used instead of the value given by override_homedir.Please, note that when this option is set the output format of all commands is always fully-qualified even when using short names for input, for all users but the ones managed by the files provider. In case the administrator wants the output not fully-qualified, the full_name_format option can be used as shown below: full_name_format=%1$s However, keep in mind that during login, login applications often canonicalise the username by calling getpwnam 3 which, if a shortname is returned for a qualified input (while trying to reach a user which exists in multiple domains) might re-route the login attempt into the domain which uses shortnames, making this workaround totally not recommended in cases where usernames may overlap between domains.Regular expression for this domain that describes how to parse the string containing username and domain into these components. The "domain" can match either the SSSD configuration domain name, or, in the case of IPA trust subdomains and Active Directory domains, the flat (NetBIOS) name of the domain.Resolving a server to connect to can be as simple as running a single DNS query or can involve several steps, such as finding the correct site or trying out multiple host names in case some of the configured servers are not reachable. The more complex scenarios can take some time and SSSD needs to balance between providing enough time to finish the resolution process but on the other hand, not trying for too long before falling back to offline mode. If the SSSD debug logs show that the server resolution is timing out before a live server is contacted, you can consider changing the timeouts.SSSD can handle views and overrides which are offered by FreeIPA 4.1 and later version. Since all paths and objectclasses are fixed on the server side there is basically no need to configure anything. For completeness, the related options are listed here with their default values. SSSD is used to provide desired service name and to validate the user's credentials using GSSAPI calls. If the service ticket is already present in the Kerberos credentials cache, or if user's ticket granting ticket can be used to get the correct service ticket, then the user will be authenticated.SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a special hardcoded meaning. Since the generic users and groups related to those Well-Known SIDs have no equivalent in a Linux/UNIX environment, no POSIX IDs are available for those objects.SSSD uses different kinds of mechanisms with more or less complex LDAP filters to keep the cached sudo rules up to date. The default configuration is set to values that should satisfy most of our users, but the following paragraphs contain a few tips on how to fine- tune the configuration to your requirements.Similar to --genconf, but only refresh a single section from the configuration file. This option is useful mainly to be called from systemd unit files, allowing socket-activated responders to refresh their configuration without requiring the administrator to restart the whole SSSD.Since some utilities allow to modify SID based access control information with the help of a name instead of using the SID directly SSSD supports to look up the SID by the name as well. To avoid collisions, only the fully qualified names can be used to look up Well-Known SIDs. As a result the domain names NULL AUTHORITY, WORLD AUTHORITY, LOCAL AUTHORITY, CREATOR AUTHORITY, NT AUTHORITY and BUILTIN should not be used as domain names in sssd.conf.Space-separated list of IPv4 or IPv6 host/network addresses that should be used to filter the rules.Space-separated list of hostnames or fully qualified domain names that should be used to filter the rules.Specifies a list of configuration parameters that should be inherited by a subdomain. Please note that only selected parameters can be inherited. Currently, the following options can be inherited:Specifies a timeout (in seconds) that a connection to an LDAP server will be maintained. After this time, the connection will be re-established. If used in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. the TGT lifetime) will be used.Specifies acceptable cipher suites. Typically this is a colon-separated list. See ldap.conf 5 for format.Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries for invalid database entries, like nonexistent ones) before asking the backend again.Specifies for how many seconds nss_sss should keep local users and groups in negative cache before trying to look it up in the backend again. Setting the option to 0 disables this feature.Specifies for how many seconds the autofs responder should cache negative hits (that is, queries for invalid map entries, like nonexistent ones) before asking the backend again.Specifies how many seconds SSSD has to wait before triggering a background refresh task which will refresh all expired, or nearly expired, records.Specifies if the SSSD should instruct the Kerberos libraries what realm and which KDCs to use. This option is on by default. If you disable it, you need to configure the Kerberos library using the krb5.conf 5 configuration file.Specifies if the host and user principal should be canonicalised. This feature is available with MIT Kerberos 1.7 and later versions.Specifies if the host principal should be canonicalised when connecting to LDAP server. This feature is available with MIT Kerberos >= 1.7Specifies the comma-separated list of UID values or usernames that are allowed to access the InfoPipe responder. Usernames are resolved to UIDs at startup.Specifies the comma-separated list of UID values or usernames that are allowed to access the PAC responder. Usernames are resolved to UIDs at startup.Specifies the comma-separated list of UID values or usernames that are allowed to run PAM conversations against trusted domains. Users not included in this list can only access domains marked as public with pam_public_domains. Usernames are resolved to UIDs at startup.Specifies the file that contains certificates for all of the Certificate Authorities that sssd will recognise.Specifies to use subdomain realms for the authentication of users from trusted domains. This option can be set to 'true' if enterprise principals are used with upnSuffixes which are not known on the parent domain KDCs. If the option is set to 'true' SSSD will try to send the request directly to a KDC of the trusted domain the user is coming from.Specify file to read user's password from. (If not specified, password is prompted for).Specify the SASL authorisation id to use. When GSSAPI/GSS-SPNEGO are used, this represents the Kerberos principal used for authentication to the directory. This option can either contain the full principal (for example host/myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By default, the value is not set and the following principals are used: If none of them are found, the first principal in keytab is returned.Specify the number of group members that must be missing from the internal cache in order to trigger a dereference lookup. If fewer members are missing, they are looked up individually.SystemTap Probe points have been added into various locations in SSSD code to assist in troubleshooting and analysing performance related issues.The full refresh simply deletes all sudo rules stored in the cache and replaces them with all rules that are stored on the server. This is used to keep the cache consistent by removing every rule which was deleted from the server. However, a full refresh may produce a lot of traffic and thus it should be run only occasionally, depending on the size and stability of the sudo rules.The rules refresh ensures that we do not grant the user more permission than defined. It is triggered each time the user runs sudo. Rules refresh will find all rules that apply to this user, check their expiration time, and redownload them if expired. In the case that any of these rules are missing on the server, the SSSD will do an out of band full refresh because more rules (that apply to other users) may have been deleted.The AD provider automatically sets "fallback_homedir = /home/%d/%u" to provide personal home directories for users without the homeDirectory attribute. If your AD Domain is properly populated with Posix attributes, and you want to avoid this fallback behaviour, you can explicitly set "fallback_homedir = %o".The AD provider can be used to get user information and authenticate users from trusted domains. Currently, only trusted domains in the same forest are recognised. In addition, servers from trusted domains are always auto-discovered.The AD provider enables SSSD to use the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with optimisations for Active Directory environments. The AD provider accepts the same options used by the sssd-ldap and sssd-krb5 providers, with some exceptions. However, it is neither necessary nor recommended to set these options.The AD provider is a backend used to connect to an Active Directory server. This provider requires that the machine be joined to the AD domain and a keytab is available. Backend communication occurs over a GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD provider and will be superseded by Kerberos usage.The IPA provider enables SSSD to use the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with optimisations for IPA environments. The IPA provider accepts the same options used by the sssd-ldap and sssd-krb5 providers, with some exceptions. However, it is neither necessary nor recommended to set these options.The IPA provider is a backend used to connect to an IPA server. (Refer to the freeipa.org web site for information about IPA servers.) This provider requires that the machine be joined to the IPA domain; configuration is almost entirely self-discovered and obtained directly from the server.The Kerberos locator plugin sssd_krb5_locator_plugin is used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such a plugin to guide all Kerberos clients on a system to a single KDC. In general, it should not matter which KDC a client process is talking to, but there are cases, e.g. after a password change, where not all KDCs are in the same state because the new data has to be replicated first. To avoid unexpected authentication failures and maybe even account lockings, it would be good to talk to a single KDC as long as possible.The LDAP attribute that corresponds to the username (or UID, group name or user's netgroup)The LDAP attribute that corresponds to the username that commands may be run as.The PAC responder works together with the authorisation data plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the PAC data during a GSSAPI authentication to the PAC responder. The sub-domain provider collects domain SID and ID ranges of the domain the client is joined to and of remote trusted domains from the local domain controller. If the PAC is decoded and evaluated, some of the following operations are done:The SSSD POSIX-type domain the application domain inherits all settings from. The application domain can also add its own settings to the application settings that augment or override the sibling domain settings.The TTL to apply to the client DNS record when updating it. If dyndns_update is false, this has no effect. This will override the TTL serverside if set by an administrator.The administrator might want to use the SSSD local users instead of traditional UNIX users, in cases where the group nesting (see sss_groupadd 8 ) is needed. The local users are also useful for testing and development of the SSSD without having to deploy a full remote server. The sss_user* and sss_group* tools use a local LDB storage to store users and groups.The capitalised version of these names are used as domain names when returning the fully qualified name of a Well-Known SID.The cleartext password is read from standard input, or entered interactively. The obfuscated password is put into ldap_default_authtok parameter of a given SSSD domain and the ldap_default_authtok_type parameter is set to obfuscated_password. Refer to sssd-ldap 5 for more details on these parameters.The configuration snippets from conf.d have higher priority than sssd.conf and will override sssd.conf when conflicts occur. If several snippets are present in conf.d, then they are included in alphabetical order (based on locale). Files included later have higher priority. Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help visualise the priority (higher number means higher priority).The current use case involves login managers which can monitor a Smartcard reader for card events. If a Smartcard is inserted, the login manager will call a PAM stack which includes a line like In this case, SSSD will try to determine the username based on the content of the Smartcard, and return it to pam_sss which will finally put it on the PAM stack.The detailed instructions for configuration of sudo_provider are in the manual page sssd-sudo 5 . There are many configuration options that can be used to adjust the behaviour. Please refer to "ldap_sudo_*" in sssd-ldap 5 .The failover feature allows backends to automatically switch to a different server if the current server fails.The failover mechanism distinguishes between a machine and a service. The backend first tries to resolve the hostname of a given machine; if this resolution attempt fails, the machine is considered offline. No further attempts are made to connect to this machine for any other service. If the resolution attempt succeeds, the backend tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the backend automatically switches over to the next service. The machine is still considered online and might still be tried for another service.The filter must be a valid LDAP search filter as specified by https://www.ietf.org/rfc/rfc2254.txtThe following example illustrates the use of an application domain. In this setup, the POSIX domain is connected to an LDAP server and is used by the OS through the NSS responder. In addition, the application domain also requests the telephoneNumber attribute, stores it as the phone attribute in the cache, and makes the phone attribute reachable through the D-Bus interface.The following krb5 options can be configured in the [kcm] section to control renewal behaviour, these options are described in detail below The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. No database is required in this case, as the mapping is done by SSSD.The list of mappings is given as a comma-separated list of pairs username:primary where username is a UNIX username and primary is a user part of a kerberos principal. This mapping is used when user is authenticating using auth_provider = krb5.The main purpose of this option is to let SSSD determine the username based on additional information, e.g. the certificate from a Smartcard.The message is read from the file pam_sss_pw_reset_message.LOC where LOC stands for a locale string returned by setlocale3 . If there is no matching file, the content of pam_sss_pw_reset_message.txt is displayed. Root must be the owner of the files and only root may have read and write permissions, while all other users must only have read permissions.The plugin reads the information about the KDCs of a given realm from a file called kdcinfo.REALM. The file should contain one or more DNS names or IP addresses, either in dotted-decimal IPv4 notation or the hexadecimal IPv6 notation. An optional port number can be added to the end, separated with a colon; the IPv6 address has to be enclosed in squared brackets in this case as usual. Valid entries are:The rules are processed by priority while the number '0' (zero) indicates the highest priority. The higher the number, the lower the priority. A missing value indicates the lowest priority. The processing of rules is stopped when a matching rule is found and no further rules are checked.The service discovery feature allows backends to automatically find the appropriate servers to connect to using a special DNS query. This feature is not supported for backup servers.The sssd-kcm service is typically socket-activated systemd 1 . To generate debug logs, add the following either to the /etc/sssd/sssd.conf file directly or as a configuration snippet to /etc/sssd/conf.d/ directory: Then, restart the sssd-kcm service: Finally, run whatever use-case doesn't work for you. The KCM logs will be generated at /var/log/sssd/sssd_kcm.log. It is recommended to disable the debug logs when you no longer need the debugging to be enabled, as the sssd-kcm service can generate quite a large amount of debugging information.The user is not known to the authentication service, or the GSSAPI authentication is not supported.The validation is the benefit of using X.509 certificates instead of SSH keys directly because e.g. it gives a better control of the lifetime of the keys. When the ssh client is configured to use the private keys from a Smartcard with the help of a PKCS#11 shared library (see ssh 1 for details), it might be irritating that authentication is still working even if the related X.509 certificate on the Smartcard is already expired because neither ssh nor sshd will look at the certificate at all.There are many configuration options that can be used to adjust the behaviour. Please refer to "ldap_sudo_*" in sssd-ldap 5 and "sudo_*" in sssd.conf 5 .These files are searched in the directory /etc/sssd/customize/DOMAIN_NAME/. If no matching file is present, a generic message is displayed.This attribute is currently only used by the AD provider to determine if a group is a domain local group and has to be filtered out for trusted domains.This option can be used to specify which extended key usage the certificate should have. The following value can be used in a comma-separated list:This option can be used to specify which key usage values the certificate should have. The following values can be used in a comma-separated list:This option should be False in most IPA deployments, as the IPA server generates the PTR records automatically when forward records are changed.This option specifies the DN of password policy entry on LDAP server. Please note that an absence of this option in sssd.conf in the case of enabled account lockout checking will yield access denied as ppolicy attributes on LDAP server cannot be checked properly.This option was named krb5_kdcip in earlier releases of SSSD. While the legacy name is recognised for the time being, users are advised to migrate their config files to use krb5_server instead.This parameter controls the value of the random offset used for the above equation. Final random_offset value will be a random number in range:This parameter will replace spaces (space bar) with the given character for user and group names. e.g. (_). Username "john doe" will be "john_doe" This feature was added to help compatibility with shell scripts that have difficulty handling spaces, due to the default field separator in the shell.This should avoid having short PINs of a PIN based 2FA scheme saved in the cache which would otherwise make them easy targets for brute-force attacks.This should be preferred to read user specific data from the certificate like e.g. an e-mail address and search for it in the LDAP server. The reason is that the user-specific data in LDAP might change for various reasons and would break the mapping. On the other hand, it would be hard to break the mapping on purpose for a specific user.This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their username without giving a domain name as well.This template will add the Kerberos principal which is taken either from the SAN used by pkinit, or the one used by AD. The 'short_name' component represents the first part of the principal before the '@' sign.This template will add the full issuer DN converted to a string according to RFC 4514. If X.500 ordering (most specific RDN comes last), an option with the '_x500' prefix should be used.This template will add the string which is stored in the rfc822Name component of the SAN, typically an e-mail address. The 'short_name' component represents the first part of the address before the '@' sign.This template will add the whole DER encoded certificate as a string to the search filter. Depending on the conversion option, the binary certificate is either converted to an escaped hex sequence '\xx' or base64. The escaped hex sequence is the default and can e.g. be used with the LDAP attribute 'userCertificate;binary'.Time in seconds SSSD should try to resolve a single DNS query (e.g. resolution of a hostname or an SRV record) before trying the next hostname or discovery domain.Timeout in seconds between heartbeats for this service. This is used to ensure that the process is alive and capable of answering requests. Note that after three missed heartbeats, the process will terminate itself.To allow authentication with Smartcards and certificates, SSSD must be able to map certificates to users. This can be done by adding the full certificate to the LDAP object of the user or to a local override. While using the full certificate is required to use the Smartcard authentication feature of SSH, (see sss_ssh_authorizedkeys 8 for details) it might be cumbersome or not even possible to do this for the general case where local services use PAM for authentication.To be compatible with the usage of MIT Kerberos, this option will match the Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:Principal> does.To disable the creation of the configuration snippets, set the parameter to 'none'.To enable service discovery, ldap_chpass_dns_service_name must be set.To enable this, the ssh_use_certificate_keys option must be set to true (default) in the [ssh] section of sssd.conf. If the user entry contains certificates (see ldap_user_certificate in sssd-ldap 5 for details) or there is a certificate in an override entry for the user (see sss_override 8 or sssd-ipa 5 for details) and the certificate is valid, SSSD will extract the public key from the certificate and convert it into the format expected by sshd.To list all available commands, run sssctl without any parameters. To print help for a selected command, run sssctl COMMAND --help.To log required bitmask debug levels, simply add their numbers together as shown in the following examples:To make the configuration simple and reduce the amount of configuration options, the files provider has some special properties:To make the mapping more flexible, mapping and matching rules were added to SSSD (see sss-certmap 5 for details).Treat user and group names as case-sensitive. Possible option values are: Try to use certificate based authentication, i.e. authentication with a Smartcard or similar devices. If a Smartcard is available and the service is allowed for Smartcard authentication, the user will be prompted for a PIN and the certificate based authentication will continueUnsigned integer value defining the priority of the rule. The higher the number, the lower the priority. 0 stands for the highest priority while 4294967295 is the lowest.When SSSD switches to offline mode, the amount of time before it tries to go back online will increase based upon the time spent disconnected. By default, SSSD uses incremental behaviour to calculate delay in between retries. So, the wait time for a given retry will be longer than the wait time for the previous ones. After each unsuccessful attempt to go online, the new interval is recalculated by the following:When a user or group is looked up by name in the proxy provider, a second lookup by ID is performed to "canonicalise" the name in case the requested name was an alias. Setting this option to true would cause the SSSD to perform the ID lookup from cache for performance reasons.When password changing, enforce the module to set the new password to the one provided by a previously-stacked password module.Whether the nsupdate utility should use GSS-TSIG authentication for secure updates with the DNS server; insecure updates can be sent by setting this option to 'none'.While the first two correspond to the general default, the third one is introduced to allow easy integration of users from Windows domains.While updating the internal data, SSSD will return an error and let the client continue with the next NSS module. This helps to avoid delays when using the default system files /etc/passwd and /etc/group and the NSS configuration has 'sss' before 'files' for the 'passwd' and 'group' maps.With the growing number of authentication methods and the possibility that there are multiple ones for a single user, the heuristic used by pam_sss to select the prompting might not be suitable for all use cases. The following options should provide better flexibility here.With this, a part of or the whole issuer name of the certificate can be matched. All comments for <SUBJECT> apply her as well.With this, a part of or the whole subject name of the certificate can be matched. For the matching POSIX Extended Regular Expression syntax is used, see regex(7) for details.With this option, a client side evaluation of access control attributes can be enabled.With this parameter, the PAM certificate verification can be tuned with a comma-separated list of options that override the certificate_verification value in [sssd] section. Supported options are the same of certificate_verification.With this parameter, the certificate verification can be tuned with a comma-separated list of options. Supported options are: [General] Verbosity = 2 # domain must be synched between NFSv4 server and clients # Solaris/Illumos/AIX use "localdomain" as default! Domain = default [Mapping] Nobody-User = nfsnobody Nobody-Group = nfsnobody [Translation] Method = sss boolean value; if True, there will be only a single prompt using the value of first_prompt where it is expected that both factors are entered as a single string. Please note that both factors have to be entered here, even if the second factor is optional.fully qualified username (user@domain)get OpenSSH authorised keysif maprule is not set, the RULE_NAME name is assumed to be the name of the matching userlibkrb5 will search the locator plugin in the libkrb5 sub-directory of the Kerberos plugin directory, see plugin_base_dir in krb5.conf 5 for details. The plugin can only be disabled by removing the plugin file. There is no option in the Kerberos configuration to disable it, but the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to disable the plugin for individual commands. Alternatively, the SSSD option krb5_use_kdcinfo=False can be used to not generate the data needed by the plugin. With this, the plugin is still called but will provide no data to the caller so that libkrb5 can fall back to other methods defined in krb5.conf.username