![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-10-26
介紹
System Security Services Dameon(SSSD)
system service to access remote directories and authentication mechanisms
---
SSSD does not create user accounts on the local system.
Instead, it uses the identities from the external data store and lets the users access the local system.
SSSD contacts the servers only if the information is not available in the cache.
目錄
Installation
centos 7, 8 安裝
dnf install sssd -y # C8
yum install sssd -y # C7, C6
# 如 start 唔到, 就要 update 一次.
dnf update -y && reboot
centos 7, 8 啟用 sssd
systemctl start sssd
systemctl enable sssd
centos6 啟用 sssd
chkconfig sssd on
service sssd start
authselect & authconfig
This automatically configured the nsswitch.conf file to use SSSD as a provider.
Centos 8
dnf install authselect
authselect select sssd --force
Centos 7
yum install install authconfig
authconfig --enablesssd --enablesssdauth --update
Remark
--enablesssd option
Configuring Services: NSS
updates /etc/nsswitch.conf to support SSS.
--enablesssdauth option
Configuring Services: PAM
updates /etc/pam.d/system-auth to include the required pam_sss.so
Setting
Config File
/etc/sssd/sssd.conf
Permssion
# 必須是 600 否則 service 會 start 失敗
chmod 600 /etc/sssd/sssd.conf
Verify Config - sssd-tools
# check configuration or permissions
dnf install sssd-tools -y
sssctl config-check
Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 0
sssd.conf
identity & authentication provider
- An identity provider (for user information)
- An authentication provider (for authentication requests)
- An access control provider (for authorization requests) # Default: “permit”
A combination of these providers
identity authentication LDAP LDAP, Kerberos proxy proxy, LDAP, Kerberos file LDAP, Kerberos
Section
[sssd]
section contains configuration settings for SSSD monitor options
[domain/LDAP]
[nss]
configure how SSSD interacts with NSS
[pam]
[nss] Section
[nss] filter_groups = root filter_users = root enum_cache_timeout = 300 entry_cache_nowait_percentage = 75
filter_users & filter_groups
useful for system accounts
entries prevent NSS retrieving information about the specified users and groups being retrieved from SSS
The filter_groups option doesn't affect inheritance of nested group members
Default: root
enum_cache_timeout
cache enumerations (requests for info about all users)
[sssd] Section
[sssd] config_file_version = 2 domains = LDAP_domain_name services = nss, pam, sudo
domains
specifies the name of the sections that define authentication domains
services
entry entry defines the supported services
[pam] Section
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
offline_credentials_expiration
specifies the number of days for which to allow cached logins if the authentication provider is offline.
offline_failed_login_attempts
specifies how many failed login attempts are allowed if the authentication provider is offline.
offline_failed_login_delay & offline_failed_login_attempts
specifies how many minutes after offline_failed_login_attempts failed login attempts that a new login attempt is permitted.
[domain/X] Section
[domain/LDAP_domain_name] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt cache_credentials = true min_id = 1000 max_id = 2000 enumerate = false
id_provider # identity provider
auth_provider # authentication provider
enumerate # specifies whether SSSD caches the complete list of users and groups that are available on the provider.
cache_credentials
Specifies if SSSD caches user credentials such as tickets, session keys,
and other identifying information to support offline authentication and single sign-on.
* SSSD does not cache user credentials by default.
When processing authentication requests, SSSD always contacts the identity provider.
If the provider is unavailable, user authentication fails.
Kerberos
[domain/Kerberos_domain_name] ... auth_provider = krb5 krb5_server = kdc.datahunter.local krb5_realm = datahunter.local
Automatic home directory creation
# To enable automatic home directory creation for user upon first login
dnf install oddjob-mkhomedir
systemctl enable --now oddjobd
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
systemctl restart oddjobd
Configuring the Files Provider for SSSD
Help: sssd-files(5) man page
File: /etc/passwd and /etc/groups
# Optionally, set the sss database as the first source for user and group lookups
/etc/nsswitch.conf
passwd: sss files group: sss files
/etc/sssd/sssd.conf
[domain/files] id_provider = files
* SSSD never handles resolution of user/group "root".
Also resolution of UID/GID 0 is not handled by SSSD.
Such requests are passed to next NSS module (usually files).
Checking & Debug
Checking 方法
- id username
- getent passwd username
- sssctl
sssctl
sssctl domain-list
datahunter.local
sssctl domain-status datahunter.local
Online status: Online Active servers: KERBEROS: not connected Discovered KERBEROS servers: - kdc.datahunter.local
sssctl user-checks
-a, --action=STRING # PAM action [auth|acct|setc|chau|open|clos], default: acct
-s, --service=STRING # PAM service, default: system-auth
sssctl user-checks USERNAME
sssctl user-checks USERNAME -a auth
Change SSSD debug level
# Change in runtime
sssctl debug-level 0x????
4, 0x0100: Configuration settings. 5, 0x0200: Function data. 6, 0x0400: Trace messages for operation functions. 7, 0x1000: Trace messages for internal control functions. 8, 0x2000: Contents of function-internal variables that may be interesting.
Default: 0x0070
sssctl debug-level 0x17f0
Access Provider
simple access provider
The simple access provider allows or denies access based on a list of user names or groups.
ie.
[domain/domain_name] access_provider = simple simple_allow_users = user1, user2 simple_allow_groups = group1
* deny rules supersede allow rules
If an allowed list is provided, then all users are denied access unless they are in the list.
If only deny lists are provided, then all users are allowed access unless they are in the list.
* The LOCAL domain in SSSD does not support simple as an access provider.
Client-side Views
specify new values for POSIX user or group attributes.
The view takes effect only on the local machine where the overrides are configured.
* restart SSSD for the changes to take effect
# Override the account's UID with 6666
sss_override user-add username -u 6666
# Display the overrides for the user
sss_override user-show username
# To expire in-memory cache
sss_cache --users
remark
-E,--everything # Invalidate all cached entries.
-u,--user login
# Checking
id user
# List
sss_override user-find
sss_override group-find
# Removing
sss_override user-del user
sss_override group-del group
# Exporting and Importing
# export
sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
# import
sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak
(2021-10-19 15:48:48): [be[datahunter.local]] [check_wait_queue] (0x1000): Wait queue for user [[email protected]] is empty.
Obtaining Information about an LDAP Group Takes Long
By default, LDAP group information lookups return all members for the group. For operations that involve large groups or nested groups, returning all members makes the process longer.
To fix the problem:
The membership lists returned in group lookups are not used when evaluating whether a user belongs to a group.
ignore_group_members = true
Direct sshd to use SSSD for authorized_keys
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser root