sssd

最後更新: 2021-10-26

介紹

 

System Security Services Dameon(SSSD)

system service to access remote directories and authentication mechanisms

---

SSSD does not create user accounts on the local system.

Instead, it uses the identities from the external data store and lets the users access the local system.

SSSD contacts the servers only if the information is not available in the cache.

目錄

 


Installation

 

centos 7, 8 安裝

dnf install sssd -y            # C8

yum install sssd -y          # C7, C6

# 如 start 唔到, 就要 update 一次.

dnf update -y && reboot

centos 7, 8 啟用 sssd

systemctl start sssd

systemctl enable sssd

centos6 啟用 sssd

chkconfig sssd on

service sssd start

 


authselect & authconfig

 

This automatically configured the nsswitch.conf file to use SSSD as a provider.

Centos 8

dnf install authselect

authselect select sssd --force

Centos 7

yum install install authconfig

authconfig --enablesssd --enablesssdauth --update

Remark

--enablesssd option

Configuring Services: NSS
updates /etc/nsswitch.conf to support SSS.

--enablesssdauth option
Configuring Services: PAM
updates /etc/pam.d/system-auth to include the required pam_sss.so

 


Setting

 

Config File

/etc/sssd/sssd.conf

Permssion

# 必須是 600 否則 service 會 start 失敗

chmod 600 /etc/sssd/sssd.conf

Verify Config - sssd-tools

# check configuration or permissions

dnf install sssd-tools -y

sssctl config-check

Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

 


sssd.conf

 

identity & authentication provider

  • An identity provider (for user information)
  • An authentication provider (for authentication requests)
  • An access control provider (for authorization requests)     # Default: “permit”

A combination of these providers

identity    authentication
LDAP        LDAP, Kerberos
proxy       proxy, LDAP, Kerberos
file        LDAP, Kerberos

Section

[sssd]

section contains configuration settings for SSSD monitor options

[domain/LDAP]

[nss]

configure how SSSD interacts with NSS

[pam]

[nss] Section

[nss]
filter_groups = root
filter_users = root
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

filter_users & filter_groups

useful for system accounts

entries prevent NSS retrieving information about the specified users and groups being retrieved from SSS

The filter_groups option doesn't affect inheritance of nested group members

Default: root

enum_cache_timeout

cache enumerations (requests for info about all users)

 

[sssd] Section

[sssd]
config_file_version = 2
domains = LDAP_domain_name
services = nss, pam, sudo

domains

specifies the name of the sections that define authentication domains

services

entry entry defines the supported services

[pam] Section

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

offline_credentials_expiration

specifies the number of days for which to allow cached logins if the authentication provider is offline.

offline_failed_login_attempts

specifies how many failed login attempts are allowed if the authentication provider is offline.

offline_failed_login_delay & offline_failed_login_attempts

specifies how many minutes after offline_failed_login_attempts failed login attempts that a new login attempt is permitted.

[domain/X] Section

[domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com

ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

cache_credentials = true

min_id = 1000
max_id = 2000

enumerate = false

id_provider          # identity provider

auth_provider      # authentication provider

enumerate          # specifies whether SSSD caches the complete list of users and groups that are available on the provider.

cache_credentials

Specifies if SSSD caches user credentials such as tickets, session keys,
  and other identifying information to support offline authentication and single sign-on.

 * SSSD does not cache user credentials by default.

When processing authentication requests, SSSD always contacts the identity provider.

If the provider is unavailable, user authentication fails.

Kerberos

[domain/Kerberos_domain_name]
...
auth_provider = krb5
krb5_server = kdc.datahunter.local
krb5_realm = datahunter.local

 


Automatic home directory creation

 

# To enable automatic home directory creation for user upon first login

dnf install oddjob-mkhomedir

systemctl enable --now oddjobd

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

systemctl restart oddjobd

 


Configuring the Files Provider for SSSD

 

Help: sssd-files(5) man page

File: /etc/passwd and /etc/groups

# Optionally, set the sss database as the first source for user and group lookups

/etc/nsswitch.conf

passwd:     sss files
group:      sss files

/etc/sssd/sssd.conf

[domain/files]
id_provider = files

 * SSSD never handles resolution of user/group "root".
    Also resolution of UID/GID 0 is not handled by SSSD.
    Such requests are passed to next NSS module (usually files).

 


Checking & Debug

 

Checking 方法

  • id username
  • getent passwd username
  • sssctl

sssctl

sssctl domain-list

datahunter.local

sssctl domain-status datahunter.local

Online status: Online

Active servers:
KERBEROS: not connected

Discovered KERBEROS servers:
- kdc.datahunter.local

sssctl user-checks

  -a, --action=STRING       # PAM action [auth|acct|setc|chau|open|clos], default: acct
  -s, --service=STRING      # PAM service, default: system-auth

sssctl user-checks USERNAME

sssctl user-checks USERNAME -a auth

Change SSSD debug level

# Change in runtime

sssctl debug-level 0x????      

4, 0x0100: Configuration settings.
5, 0x0200: Function data.
6, 0x0400: Trace messages for operation functions.
7, 0x1000: Trace messages for internal control functions.
8, 0x2000: Contents of function-internal variables that may be interesting.

Default: 0x0070

sssctl debug-level 0x17f0

 

 


Access Provider

 

simple access provider

The simple access provider allows or denies access based on a list of user names or groups.

ie.

[domain/domain_name]
access_provider = simple
simple_allow_users = user1, user2
simple_allow_groups = group1

 * deny rules supersede allow rules

If an allowed list is provided, then all users are denied access unless they are in the list.

If only deny lists are provided, then all users are allowed access unless they are in the list.

* The LOCAL domain in SSSD does not support simple as an access provider.

 


Client-side Views

 

 

specify new values for POSIX user or group attributes.
The view takes effect only on the local machine where the overrides are configured.

 * restart SSSD for the changes to take effect

# Override the account's UID with 6666
sss_override user-add username -u 6666

# Display the overrides for the user
sss_override user-show username

# To expire in-memory cache
sss_cache --users

remark
-E,--everything           # Invalidate all cached entries.
-u,--user login

# Checking
id user

# List
sss_override user-find
sss_override group-find

# Removing
sss_override user-del user
sss_override group-del group

# Exporting and Importing

# export
sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
# import
sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak

(2021-10-19 15:48:48): [be[datahunter.local]] [check_wait_queue] (0x1000): Wait queue for user [datahunter@datahunter.local] is empty.

Obtaining Information about an LDAP Group Takes Long

By default, LDAP group information lookups return all members for the group. For operations that involve large groups or nested groups, returning all members makes the process longer.

To fix the problem:
The membership lists returned in group lookups are not used when evaluating whether a user belongs to a group.

ignore_group_members = true
 


Direct sshd to use SSSD for authorized_keys

 

 

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root