13.2.27. Seeding Users into the SSSD Cache During Kickstart


Adding user accounts manually requires the sssd-tools package to be installed.
With SSSD, users in a remote domain are not available in a local system until that identity is retrieved from the identity provider. However, some network interfaces are not available until a user has logged in — which is not possible if the user identity is somewhere over the network. In that case, it is possible to seed the SSSD cache with that user identity, associated with the appropriate domain, so that the user can log in locally and active the appropriate interfaces.
This is done using the sss_seed utility:
sss_seed --domain EXAMPLE.COM --username testuser --password-file /tmp/sssd-pwd.txt
This utility requires options that identify, at a minimum, the user name, domain name, and password.
  • --domain gives the domain name from the SSSD configuration. This domain must already exist in the SSSD configuration.
  • --username for the short name of the user account.
  • --password-file for the path and name of a file containing a temporary password for the seed entry. If the user account already exists in the SSSD cache, then the temporary password in this file overwrites the stored password in the SSSD cache.
Additional account configuration options are listed in the sss_seed(8) man page.
This would almost always be run as part of a kickstart or automated setup, so it would be part of a larger set of scripts, which would also enable SSSD, set up an SSSD domain, and create the password file. For example:
function make_sssd {
cat <<- _EOF_
domains = LOCAL
services = nss,pam



id_provider = local
auth_provider = local
access_provider = permit

make_sssd >> /etc/sssd/sssd.conf

authconfig --enablesssd --enablesssdauth --update

function make_pwdfile {
cat <<1 _EOF_

make_pwdfile >> /tmp/sssd-pwd.txt

sss_seed --domain EXAMPLE.COM --username testuser --password-file /tmp/sssd-pwd.txt