13.2.5. Configuring Services: NSS
sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
About NSS Service Maps and SSSD
- Passwords (
- User groups (
- Groups (
- Netgroups (
- Services (
Procedure 13.1. Configuring NSS Services to Use SSSD
nss_sssmodule has to be included for the desired service type.
- Use the Authentication Configuration tool to enable SSSD. This automatically configured the
nsswitch.conffile to use SSSD as a provider.
~]# authconfig --enablesssd --updateThis automatically configures the password, shadow, group, and netgroups services maps to use the SSSD module:
passwd: files sss shadow: files sss group: files sss netgroup: files sss
- The services map is not enabled by default when SSSD is enabled with
authconfig. To include that map, open the
nsswitch.conffile and add the
sssmodule to the
~]# vim /etc/nsswitch.conf ... services: file
Procedure 13.2. Configuring SSSD to Work with NSS
- Open the
~]# vim /etc/sssd/sssd.conf
- Make sure that NSS is listed as one of the services that works with SSSD.
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services =
- In the
[nss]section, change any of the NSS parameters. These are listed in Table 13.2, “SSSD [nss] Configuration Parameters”.
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
- Restart SSSD.
~]# service sssd restart
Table 13.2. SSSD [nss] Configuration Parameters
|entry_cache_nowait_percentage||integer|| Specifies how long |
This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
The allowed values for this option are 0 to 99, which sets the percentage based on the
|entry_negative_timeout||integer|| Specifies how long, in seconds, |
|filter_users, filter_groups||string|| Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as |
|filter_users_in_groups||Boolean|| Sets whether users listed in the |
|debug_level||integer, 0 - 9||Sets a debug logging level.|
NSS Compatibility Mode
/etc/passwdfile to ensure that users or members of netgroups have access to the system.
passwd: compat passwd_compat: sss
passwdentries are supported:
+) or exclude (
-) a specified user from the Network Information System (NIS) map.
+) or exclude (
-) all users in the given netgroup from the NIS map.
+Exclude all users, except previously excluded ones from the NIS map.