最後更新: 2021-10-26



System Security Services Dameon(SSSD)

system service to access remote directories and authentication mechanisms


SSSD does not create user accounts on the local system.

Instead, it uses the identities from the external data store and lets the users access the local system.

SSSD contacts the servers only if the information is not available in the cache.





centos 7, 8 安裝

dnf install sssd -y            # C8

yum install sssd -y          # C7, C6

# 如 start 唔到, 就要 update 一次.

dnf update -y && reboot

centos 7, 8 啟用 sssd

systemctl start sssd

systemctl enable sssd

centos6 啟用 sssd

chkconfig sssd on

service sssd start


authselect & authconfig


This automatically configured the nsswitch.conf file to use SSSD as a provider.

Centos 8

dnf install authselect

authselect select sssd --force

Centos 7

yum install install authconfig

authconfig --enablesssd --enablesssdauth --update


--enablesssd option

Configuring Services: NSS
updates /etc/nsswitch.conf to support SSS.

--enablesssdauth option
Configuring Services: PAM
updates /etc/pam.d/system-auth to include the required




Config File



# 必須是 600 否則 service 會 start 失敗

chmod 600 /etc/sssd/sssd.conf

Verify Config - sssd-tools

# check configuration or permissions

dnf install sssd-tools -y

sssctl config-check

Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0




identity & authentication provider

  • An identity provider (for user information)
  • An authentication provider (for authentication requests)
  • An access control provider (for authorization requests)     # Default: “permit”

A combination of these providers

identity    authentication
LDAP        LDAP, Kerberos
proxy       proxy, LDAP, Kerberos
file        LDAP, Kerberos



section contains configuration settings for SSSD monitor options



configure how SSSD interacts with NSS


[nss] Section

filter_groups = root
filter_users = root
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

filter_users & filter_groups

useful for system accounts

entries prevent NSS retrieving information about the specified users and groups being retrieved from SSS

The filter_groups option doesn't affect inheritance of nested group members

Default: root


cache enumerations (requests for info about all users)


[sssd] Section

config_file_version = 2
domains = LDAP_domain_name
services = nss, pam, sudo


specifies the name of the sections that define authentication domains


entry entry defines the supported services

[pam] Section

reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5


specifies the number of days for which to allow cached logins if the authentication provider is offline.


specifies how many failed login attempts are allowed if the authentication provider is offline.

offline_failed_login_delay & offline_failed_login_attempts

specifies how many minutes after offline_failed_login_attempts failed login attempts that a new login attempt is permitted.

[domain/X] Section

id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://
ldap_search_base = dc=example,dc=com

ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

cache_credentials = true

min_id = 1000
max_id = 2000

enumerate = false

id_provider          # identity provider

auth_provider      # authentication provider

enumerate          # specifies whether SSSD caches the complete list of users and groups that are available on the provider.


Specifies if SSSD caches user credentials such as tickets, session keys,
  and other identifying information to support offline authentication and single sign-on.

 * SSSD does not cache user credentials by default.

When processing authentication requests, SSSD always contacts the identity provider.

If the provider is unavailable, user authentication fails.


auth_provider = krb5
krb5_server = kdc.datahunter.local
krb5_realm = datahunter.local


Automatic home directory creation


# To enable automatic home directory creation for user upon first login

dnf install oddjob-mkhomedir

systemctl enable --now oddjobd

echo "session optional skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

systemctl restart oddjobd


Configuring the Files Provider for SSSD


Help: sssd-files(5) man page

File: /etc/passwd and /etc/groups

# Optionally, set the sss database as the first source for user and group lookups


passwd:     sss files
group:      sss files


id_provider = files

 * SSSD never handles resolution of user/group "root".
    Also resolution of UID/GID 0 is not handled by SSSD.
    Such requests are passed to next NSS module (usually files).


Checking & Debug


Checking 方法

  • id username
  • getent passwd username
  • sssctl


sssctl domain-list


sssctl domain-status datahunter.local

Online status: Online

Active servers:
KERBEROS: not connected

Discovered KERBEROS servers:
- kdc.datahunter.local

sssctl user-checks

  -a, --action=STRING       # PAM action [auth|acct|setc|chau|open|clos], default: acct
  -s, --service=STRING      # PAM service, default: system-auth

sssctl user-checks USERNAME

sssctl user-checks USERNAME -a auth

Change SSSD debug level

# Change in runtime

sssctl debug-level 0x????      

4, 0x0100: Configuration settings.
5, 0x0200: Function data.
6, 0x0400: Trace messages for operation functions.
7, 0x1000: Trace messages for internal control functions.
8, 0x2000: Contents of function-internal variables that may be interesting.

Default: 0x0070

sssctl debug-level 0x17f0



Access Provider


simple access provider

The simple access provider allows or denies access based on a list of user names or groups.


access_provider = simple
simple_allow_users = user1, user2
simple_allow_groups = group1

 * deny rules supersede allow rules

If an allowed list is provided, then all users are denied access unless they are in the list.

If only deny lists are provided, then all users are allowed access unless they are in the list.

* The LOCAL domain in SSSD does not support simple as an access provider.


Client-side Views



specify new values for POSIX user or group attributes.
The view takes effect only on the local machine where the overrides are configured.

 * restart SSSD for the changes to take effect

# Override the account's UID with 6666
sss_override user-add username -u 6666

# Display the overrides for the user
sss_override user-show username

# To expire in-memory cache
sss_cache --users

-E,--everything           # Invalidate all cached entries.
-u,--user login

# Checking
id user

# List
sss_override user-find
sss_override group-find

# Removing
sss_override user-del user
sss_override group-del group

# Exporting and Importing

# export
sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
# import
sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak

(2021-10-19 15:48:48): [be[datahunter.local]] [check_wait_queue] (0x1000): Wait queue for user [datahunter@datahunter.local] is empty.

Obtaining Information about an LDAP Group Takes Long

By default, LDAP group information lookups return all members for the group. For operations that involve large groups or nested groups, returning all members makes the process longer.

To fix the problem:
The membership lists returned in group lookups are not used when evaluating whether a user belongs to a group.

ignore_group_members = true

Direct sshd to use SSSD for authorized_keys



AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root