Chapter 7. Reporting on user access on hosts using SSSD

The Security System Services Daemon (SSSD) tracks which users can or cannot access clients. This chapter describes creating access control reports and displaying user data using the sssctl tool.

Prerequisites

  • SSSD packages are installed in your network environment.

7.1. The sssctl command

sssctl is a command-line tool using Security System Services Daemon (SSSD) to gather information about:

  • domain state
  • client user authentication
  • user access on clients of a particular domain
  • information about cached content

With the sssctl tool, you can:

  • manage the SSSD cache
  • manage logs
  • check configuration files
Note

The sssctl tool replaces sss_cache and sss_debuglevel tools.

Additional resources

  • For details about sssctl, enter:

    # sssctl --help

7.2. Generating access control reports using sssctl

You can list the access control rules applied to the machine on which you are running the report because SSSD controls which users can log in to the client.

Note

The access report is not accurate because the tool does not track users locked out by the Key Distribution Center (KDC).

Prerequisites

  • You must be logged in with administrator privileges
  • The sssctl is available on RHEL 7 and RHEL 8 systems

Procedure

  • To generate a report for the idm.example.com domain, enter:

    [root@client1 ~]# sssctl access-report idm.example.com
    1 rule cached
    
    Rule name: example.user
    	Member users: example.user
    	Member services: sshd

7.3. Displaying user authorization details using sssctl

The sssctl user-checks command helps debug problems in applications that use the System Security Services Daemon (SSSD) for user lookup, authentication, and authorization.

The sssctl user-checks [USER_NAME] command displays user data available through Name Service Switch (NSS) and the InfoPipe responder for the D-Bus interface. The displayed data shows whether the user is authorized to log in using the system-auth Pluggable Authentication Module (PAM) service.

The command has two options:

  • -a for a PAM action
  • -s for a PAM service

If you do not define -a and -s options, the sssctl tool uses default options: -a acct -s system-auth.

Prerequisites

  • You must be logged in with administrator privileges
  • The sssctl tool is available on RHEL 7 and RHEL 8 systems

Procedure

  • To display user data for a particular user, enter:

    [root@client1 ~]# sssctl user-checks -a acct -s sshd example.user
    user: example.user
    action: acct
    service: sshd
    ....

Additional resources

  • For details on sssctl user-checks, use the following command:

    sssctl user-checks --help