Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

10.4. Restricting Domains for PAM services


This feature requires SSSD to be running on the system.
SSSD enables you to restrict which domains can be accessed by PAM services. SSSD evaluates authentication requests from PAM services based on the user the particular PAM service is running as. Whether the PAM service can access an SSSD domain depends on whether the PAM service user is able to access the domain.
An example use case is an environment where external users are allowed to authenticate to an FTP server. The FTP server is running as a separate non-privileged user that should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.


This functionality is similar to legacy PAM modules, such as pam_ldap, which were able to use a separate configuration file as a parameter for a PAM module.

Options to Restrict Access to Domains

The following options are available to restrict access to selected domains:
pam_trusted_users in /etc/sssd/sssd.conf
This option accepts a list of numerical UIDs or user names representing the PAM services that are to be trusted by SSSD. The default setting is all, which means all service users are trusted and can access any domain.
pam_public_domains in /etc/sssd/sssd.conf
This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the all and none values. The default value is none, which means no domains are public and untrusted service users therefore cannot access any domain.
domains for PAM configuration files
This option specifies a list of domains against which a PAM service can authenticate. If you use domains without specifying any domain, the PAM service will not be able to authenticate against any domain, for example:
auth     required domains=
If domains is not used in the PAM configuration file, the PAM service is able to authenticate against all domains, on the condition that the service is running under a trusted user.
The domains option in the /etc/sssd/sssd.conf SSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that the domains option in a PAM configuration file cannot extend the list of domains in sssd.conf, it can only restrict the sssd.conf list of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not in sssd.conf, the PAM service will not be able to authenticate against the domain.
The default settings pam_trusted_users = all and pam_public_domains = none specify that all PAM service users are trusted and can access any domain. The domains option for PAM configuration files can be used in this situation to restrict the domains that can be accessed.
If you specify a domain using domains in the PAM configuration file while sssd.conf contains pam_public_domains, it might be required to specify the domain in pam_public_domains as well. If pam_public_domains is used but does not include the required domain, the PAM service will not be able to successfully authenticate against the domain if it is running under an untrusted user.


Domain restrictions defined in a PAM configuration file only apply to authentication actions, not to user lookups.
For more information about the pam_trusted_users and pam_public_domains options, see the sssd.conf(5) man page. For more information about the domains option used in PAM configuration files, see the pam_sss(8) man page.

Example 10.2. Restricting Domains for a PAM Service

To restrict the domains against which a PAM service can authenticate:
  1. Make sure SSSD is configured to access the required domain or domains. The domains against which SSSD can authenticate are defined in the domains option in the /etc/sssd/sssd.conf file.
    domains = domain1, domain2, domain3
  2. Specify the domain or domains to which a PAM service will be able to authenticate. To do this, set the domains option in the PAM configuration file. For example:
    auth        sufficient forward_pass domains=domain1
    account     [default=bad success=ok user_unknown=ignore]
    password    sufficient use_authtok
The PAM service is now only allowed to authenticate against domain1.