Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.5. Configuring System Services for SSSD

SSSD provides interfaces towards several system services. Most notably:
Name Service Switch (NSS)
See Section 7.5.1, “Configuring Services: NSS”.
Pluggable Authentication Modules (PAM)
See Section 7.5.2, “Configuring Services: PAM”.
OpenSSH
See Configuring SSSD to Provide a Cache for the OpenSSH Services in the Linux Domain Identity, Authentication, and Policy Guide.
autofs
See Section 7.5.3, “Configuring Services: autofs.
sudo
See Section 7.5.4, “Configuring Services: sudo.

7.5.1. Configuring Services: NSS

How SSSD Works with NSS

The Name Service Switch (NSS) service maps system identities and services with configuration sources: it provides a central configuration store where services can look up sources for various configuration and name resolution mechanisms.
SSSD can use NSS as a provider for several types of NSS maps. Most notably:
  • User information (the passwd map)
  • Groups (the groups map)
  • Netgroups (the netgroups map)
  • Services (the services map)

Prerequisites

  • Install SSSD. 
    # yum install sssd

Configure NSS Services to Use SSSD

  1. Use the authconfig utility to enable SSSD: 
    [root@server ~]# authconfig --enablesssd --update
    This updates the /etc/nsswitch.conf file to enable the following NSS maps to use SSSD: 
    passwd:     files sss
shadow:     files sss
group:      files sss

netgroup:   files sss
  2. Open /etc/nsswitch.conf and add sss to the services map line: 
    services: files sss

Configure SSSD to work with NSS

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, make sure that NSS is listed as one of the services that works with SSSD. 
    [sssd]
[... file truncated ...]
services = nss, pam
  3. In the [nss] section, configure how SSSD interacts with NSS. For example: 
    [nss]
filter_groups = root
filter_users = root
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
    For a complete list of available options, see NSS configuration options in the sssd.conf(5) man page.
  4. Restart SSSD. 
    # systemctl restart sssd.service

Test That the Integration Works Correctly

Display information about a user with these commands:
  • id user
  • getent passwd user

7.5.2. Configuring Services: PAM

Warning

A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that you can revert any changes.

Configure PAM to Use SSSD

  • Use the authconfig utility to enable SSSD: 
    # authconfig --enablesssdauth --update
    This updates the PAM configuration to reference the SSSD modules, usually in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. For example: 
    [... file truncated ...]
auth		required	pam_env.so
auth		sufficient	pam_unix.so nullok try_first_pass
auth		requisite	pam_succeed_if.so uid >= 500 quiet
auth        	sufficient	pam_sss.so use_first_pass
auth		required	pam_deny.so
[... file truncated ...]
For details, see the pam.conf(5) or pam(8) man pages.

Configure SSSD to work with PAM

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, make sure that PAM is listed as one of the services that works with SSSD. 
    [sssd]
[... file truncated ...]
services = nss, pam
  3. In the [pam] section, configure how SSSD interacts with PAM. For example: 
    [pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
    For a complete list of available options, see PAM configuration options in the sssd.conf(5) man page.
  4. Restart SSSD. 
    # systemctl restart sssd.service

Test That the Integration Works Correctly

  • Try logging in as a user.
  • Use the sssctl user-checks user_name auth command to check your SSSD configuration. For details, use the sssctl user-checks --help command.

7.5.3. Configuring Services: autofs

How SSSD Works with automount

The automount utility can mount and unmount NFS file systems automatically (on-demand mounting), which saves system resources. For details on automount, see autofs in the Storage Administration Guide.
You can configure automount to point to SSSD. In this setup:
  1. When a user attempts to mount a directory, SSSD contacts LDAP to obtain the required information about the current automount configuration.
  2. SSSD stores the information required by automount in a cache, so that users can mount directories even when the LDAP server is offline.

Configure autofs to Use SSSD

  1. Install the autofs package. 
    # yum install autofs
  2. Open the /etc/nsswitch.conf file.
  3. On the automount line, change the location where to look for the automount map information from ldap to sss: 
    automount: files sss

Configure SSSD to work with autofs

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, add autofs to the list of services that SSSD manages. 
    [sssd]
services = nss,pam,autofs
  3. Create a new [autofs] section. You can leave it empty. 
    [autofs]
    For a list of available options, see AUTOFS configuration options in the sssd.conf(5) man page.
  4. Make sure an LDAP domain is available in sssd.conf, so that SSSD can read the automount information from LDAP. See Section 7.3.2, “Configuring an LDAP Domain for SSSD”.
    The [domain] section of sssd.conf accepts several autofs-related options. For example: 
    [domain/LDAP]
[... file truncated ...]
autofs_provider=ldap
ldap_autofs_search_base=cn=automount,dc=example,dc=com
ldap_autofs_map_object_class=automountMap
ldap_autofs_entry_object_class=automount
ldap_autofs_map_name=automountMapName
ldap_autofs_entry_key=automountKey
ldap_autofs_entry_value=automountInformation
    For a complete list of available options, see DOMAIN SECTIONS in the sssd.conf(5) man page.
    If you do not provide additional autofs options, the configuration depends on the identity provider settings.
  5. Restart SSSD. 
    # systemctl restart sssd.service

Test the Configuration

  • Use the automount -m command to print the maps from SSSD.

7.5.4. Configuring Services: sudo

How SSSD Works with sudo

The sudo utility gives administrative access to specified users. For more information about sudo, see The sudo utility documentation in the System Administrator's Guide.
You can configure sudo to point to SSSD. In this setup:
  1. When a user attempts a sudo operation, SSSD contacts LDAP or AD to obtain the required information about the current sudo configuration.
  2. SSSD stores the sudo information in a cache, so that users can perform sudo operations even when the LDAP or AD server is offline.
SSSD only caches sudo rules which apply to the local system, depending on the value of the sudoHost attribute. See the sssd-sudo(5) man page for details.

Configure sudo to Use SSSD

  1. Open the /etc/nsswitch.conf file.
  2. Add SSSD to the list on the sudoers line. 
    sudoers: files sss

Configure SSSD to work with sudo

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, add sudo to the list of services that SSSD manages. 
    [sssd]
services = nss,pam,sudo
  3. Create a new [sudo] section. You can leave it empty. 
    [sudo]
    For a list of available options, see SUDO configuration options in the sssd.conf(5) man page.
  4. Make sure an LDAP or AD domain is available in sssd.conf, so that SSSD can read the sudo information from the directory. For details, see:
    The [domain] section for the LDAP or AD domain must include these sudo-related parameters: 
    [domain/LDAP_or_AD_domain]
...
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com

    Note

    Setting Identity Management or AD as the ID provider automatically enables the sudo provider. In this situation, it is not necessary to specify the sudo_provider parameter.
    For a complete list of available options, see DOMAIN SECTIONS in the sssd.conf(5) man page.
    For options available for a sudo provider, see the sssd-ldap(5) man page.
  5. Restart SSSD. 
    # systemctl restart sssd.service
If you use AD as the provider, you must extend the AD schema to support sudo rules. For details, see the sudo documentation.
For details about providing sudo rules in LDAP or AD, see the sudoers.ldap(5) man page.