sssd.conf(5): working sssd.conf with all default values
georgemarselis-nvi opened this issue · 3 comments
#
# /etc/sssd/sssd.conf : Configuration file for sssd and all its subservices
# sssd.conf(5)
# 2024-02-28 George Marselis george.marselis@vetinst.no
# FILE FORMAT
#
# The file has an ini-style syntax and consists of sections and parameters.
# A section begins with the name of the section in square brackets,
# e.g. [sssd] . It continues until the next section begins. Here is an
# example of the general BNF syntax of a section, utilizing single
# and multi-valued parameters:
#
# [section]
# key = value
# key2 = value2,value3
#
# DATA TYPES FOR VALUES
#
# The data types used for the values are string , integer and boolean.
# Quoting is not required.
#
# COMMENTING
#
# A comment line starts with a hash sign '#' or a
# semicolon ';'. Inline comments are not supported.
#
# CASE SENSITIVE values ? #7345
#
# All sections can have an optional description parameter, purely as a
# label for the section. ???? DISCARDED DURING PARSIN?
#
# FILE, FILE OWNERSHIP AND FILE PERMISSIONS
#
# sssd.conf must be a regular file. It must be owned by root:root only, and
# read/write by root only.
# Incorrect file permissions will prevent the daemon from starting. #7346
# File is made up of the following sections:
# [sssd]
# [nss]
# [pam]
# [sudo]
# [autofs]
# [ssh]
# [pac]
# [rec]
# [domain/YOUR_DOMAIN]
#
# Each section corresponds to the configuraion of an SSSD subprocess. You
# can break down each section in sssd/conf.d/ . Only files ending in .conf
# are read. Each file under sssd/conf.d/ is lexicographically added to
# create the main sssd/sssd.conf file in memory.
#
# The parameters for each of the subprocesses of SSSD can be found their
# relevant man pages:
# pam_sss (8) - PAM module for SSSD
# pam_sss_gss (8) - PAM module for SSSD GSSAPI authentication
# sss-certmap (5) - SSSD Certificate Matching and Mapping Rules
# sss_cache (8) - perform cache cleanup
# sss_obfuscate (8) - obfuscate a clear text password
# sss_override (8) - create local overrides of user and group attributes
# sss_rpcidmapd (5) - sss plugin configuration directives for rpc.idmapd
# sss_seed (8) - seed the SSSD cache with a user
# sss_ssh_authorizedkeys (1) - get OpenSSH authorized keys
# sss_ssh_knownhostsproxy (1) - get OpenSSH host keys
# sssd-ad (5) - SSSD Active Directory provider
# sssd-files (5) - SSSD files provider
# sssd-ifp (5) - SSSD InfoPipe responder
# sssd-ipa (5) - SSSD IPA provider
# sssd-kcm (8) - SSSD Kerberos Cache Manager
# sssd-krb5 (5) - SSSD Kerberos provider
# sssd-ldap (5) - SSSD LDAP provider
# sssd-ldap-attributes (5) - SSSD LDAP Provider: Mapping Attributes
# sssd-session-recording (5) - Configuring session recording with SSSD
# sssd-simple (5) - the configuration file for the 'simple' access-control provider of SSSD
# sssd-sudo (5) - Configuring sudo with the SSSD back end
# systemtap (5) - SSSD systemtap information
# sssd_krb5_localauth_plugin (8) - Kerberos local authorization plugin
# sssd_krb5_locator_plugin (8) - Kerberos locator plugin
#
# FIXME FIXME FIXME what happens if a section is duplicate?
#
[sssd]
# each section can have a 'description' variable
description = "The sss daemon configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also see sssctl debug-level
debug_level = 7
# Indicate what the syntax version of the config file. SSSD 0.6.0 and
# later use version 2
config_file_version = 2
# Comma separated list of services that are started when sssd itself starts.
# The list of services is optional on platforms where systemd is supported,
# as they will either be socket or D-Bus activated when needed.
# By default, all services are disabled and the administrator must enable
# the ones allowed to be used by executing
# for service in $( echo "nss pam sudo autofs ssh pac ifp"); do
# systemctl enable sssd-$service.socket; done
# and
# for service in $( echo "nss pam sudo autofs ssh pac ifp"); do
# systemctl enable sssd-$service.service; done
services = nss,pam,sudo,autofs,ssh,pac,ifp
# Number of times services should attempt to reconnect in the event of
# a Data Provider crash or restart, before they give up
# Default: 3
reconnection_retries = 3
# A domain is a database containing user information. SSSD can use more
# domains at the same time, but at least one must be configured or SSSD
# won't start. This parameter describes the list of domains in the order
# you want them to be queried. A domain name is recommended to contain
# only alphanumeric ASCII characters, dashes, dots and underscores.
# '/' character is forbidden.
domains = vetinst.no
# The default regular expression that describes how to parse the string
# containing the user name and the domain into individual components.
# Each domain can also have an individual regular expression configured.
# For some ID providers there are also default regular expressions.
# See sssd.conf(5) DOMAIN SECTIONS for more info on these regular expressions.
## re_expression =
# A printf(3)-compatible format that describes how to compose a fully
# qualified name from the user name and domain name components.
## full_name_format =
# Monitor the state of resolv.conf to identify when there is a need to update
# the internal DNS resolver.
monitor_resolv_conf = True
# SSD will attempt to use inotify to monitor configuration files changes
# and will fall back to polling every five seconds if inotify cannot be used.
try_inotify = True
# the name of the default replay cache. The default is dfl: (domain functional
# level. It is subject to parameter expansion according to platform
# it set with a default value in /etc/krb5.conf , so leave this alone
# and commented out
##krb5_rcache_dir =
#
# Default domain name for all names without a domain name component. Used when
# the primary domain is intended for managing host policies and all users are
# located in a trusted domain
#
# Setting this option changes default of use_fully_qualified_names to True.
# It is not allowed to use this option together with use_fully_qualified_names
# set to False. see man(5) sssd.conf for detqails
##default_domain_suffix =
#
# Replace spaces (space bar) with the given character for user and group
# names. Used for compatibility with shell scripts that have difficulty
# handling spaces, due to the default field separator in the shell.
## override_space =
# Restrict/tune certificate verification. Options are comma-seperated.
# Valid options:
# no_ocsp, soft_ocsp, ocsp_dgst=sha1|sha256|sha384|sha512,
# no_verification, partial_chain, ocsp_default_responder=URL,
# ocsp_default_responder_signing_cert=NAME,
# crl_file=/PATH/TO/CRL/FILE, soft_crl
#
# Default: do not restrict certificate verification
## certificate_verification =
# Monitor changes to routes, addresses, links and trigger appropriate actions
# for sssd. Disabling this is desireable when the state should not affect sssd
# Default : False
disable_netlink = False
# If you enable this option, a small implicit domain, like so:
# [domain/files]
# id_provider = files
#
# The implicit domain is prepended before any explicitely ones.
# The effect is that local files (/etc/passwd, /etc/group, etc)
# are mirrored/ingested into sssd. Also, provides efficient caching of
# local users and groups.
# Look into sssd-files(5) for more details
#
# Default : False
## enable_files_domain = False
# Comma separated list of domains and subdomains representing the lookup
# order that will be followed.
# Order of lookup may be important when the same username/uid exists in
# multiple domains, but not the full name format is used to log in the user
#
# Default: Do not set, unless you need it
## domain_resolution_order = vetinst.no
# A PAC (Privilege Attribute Certificate) is a data structure used in
# Microsoft Windows environments for representing a user's security
# privileges and group memberships. It contains information such as group
# memberships of a user, authorization data, and other security-related
# attributes
#
# implicit_pac_responder = True enables the SSSD (System Security Services
# Daemon) to automatically respond to requests for PAC data, which is needed
# for certain Windows authentication scenarios, such as AD domain
# authentication, cross-domain authentication, Kerberos Constrained
# Delegation ( allow a service to impersonate a user and access resources on
# behalf of that user ) and Authorization and Access Control.
#
# Defaul: True
implicit_pac_responder = True
# General system hardening: setting it to 'false' forbids core dumps for all
# SSSD processes to avoid leaking plain text passwords
#
# Default: True
core_dumpable = True
[nss]
# each section can have a 'description' variable
description = "The sss_nss sub-process configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also sssctl debug-level
debug_level = 7
# Number of times services should attempt to reconnect in the event of a
# Data Provider crash or restart before they give up
# Default: 3
reconnection_retries = 3
# Maximum number of file descriptors that may be opened at one time by this
# SSSD process.
#
# Default: 8192 (or limits.conf "hard" limit)
# Let this be decided dynamically
## fd_limit = 8192
# Seconds that a client of an SSSD process can hold onto a file descriptor
# without communicating on it. Limited in order to avoid resource
# exhaustion on the system.
#
# Default = 60 (if lower than 10, it will be reset to 10)
# Exception: Kerberos Credential Manager (KCM), time out
# is 300 seconds/5 minutes
# Discrepancy might be due to different default settings and behaviors
# between the SSSD configuration and the KCM component itself.
client_idle_timeout = 60
# Seconds that an SSSD responder process can be up without being used.
# Limited to avoid resource exhaustion.
#
# NOTE: Only has effect when SSSD is built with systemd support and
# when services are either socket or D-Bus activated.
#
# Default: 300
responder_idle_timeout = 300
# Specify whether the responder should query all caches before querying
# the Data Providers
#
# NOTE: we do not cache credentials, we proxy from AD.
#
# Default: False
cache_first = False
# Seconds sss_nss should cache enumerations: the requests for info about
# all users
#
# Default: 120
enum_cache_timeout = 120
# Automatically update entries in the background if they are requested
# beyond a percentage of the entry_cache_timeout value for the domain.
#
# Default: 50 | Valid values: 0-99, 0 to disable
entry_cache_nowait_percentage = 50
# Seconds sss_nss should cache negative cache hits (queries for invalid
# database entries) before asking again.
#
# Default: 15
entry_negative_timeout = 15
# Seconds sss_nss should keep local users and groups in negative cache
# before trying to look them up in the back end again.
#
# Default: 14400 (4 hours) | 0 disables the feature
local_negative_timeout = 14400
# Exclude certain users from being fetched from the NSS database of the
# daemon. This is particularly useful for system accounts. This option
# can also be set per-domain or include fully-qualified names to filter
# only users from the particular domain or by a user principal name (UPN).
#
# Default: root
filter_users = root
# Exclude certain groups from being fetched from the NSS database of the
# daemon. This is particularly useful for system groups. This option
# can also be set per-domain or include fully-qualified names to filter
# only users from the particular domain or by a user principal name (UPN).
#
# NOTE: The filter_groups option doesn't affect inheritance of nested group
# members, since filtering happens after they are propagated for
# returning via NSS: a super group having a member group filtered out
# will still have the member users of the member group listed.
#
# Default: root
filter_groups = root
# Enable membership of filtered users as group members. Disable if
# not desired.
#
# Default: True
filter_users_in_groups = True
# Override the location of the home directory of a user. You can either
# provide an absolute value or a template. In the template, the following
# sequences are substituted:
#
# %u : Login name
# %U : UID number
# %d : Domain name
# %f : Fully qualified user name (user@domain)
# %l : The first letter of the login name
# %P : UPN - User Principal Name (user@REALM or user@domain)
# %o : The original home directory retrieved from the identity provider.
# %h : The original home directory retrieved from the identity provider, but in lower case.
# %H : The value of configure option homedir_substring.
# %% : A literal '%'
#
# This option can also be set per domain and per section.
#
# NOTE: The home directory from a specific override for the user, either
# locally or centrally managed IPA id-overrides, has a higher
# precedence. It will be used instead of the value given by
# override_homedir. See sss_override(8) for details.
#
# #7348
# Default: Not set (SSSD will use the value retrieved from LDAP)
## override_homedir = /home/%u
## override_homedir = /data/posit/home/%d/%u
# Ssed in expansion of override_homedir if the template contains the format
# string %H. An LDAP directory entry can directly contain this template so
# this option can be used to expand the home directory path for each client
# machine (or operating system). It can be set per-domain or globally in the
# [nss] section.
#
# NOTE: A value specified in a domain section will override one set in this
# section.
#
# This option can also be set per domain and per section
#
# Default: /home
## homedir_substring = /home
# Set a default template for the home directory of a user, if one is not specified
# explicitly by the data provider of the domain.
#
# The available values for this option are the same as for override_homedir.
#
# Default: not set (no substitution for unset home directories)
## fallback_homedir =
# The default shell to use if the provider does not return one during
# lookup.
#
# This option can be specified globally in the [nss] section or per domain.
#
# Default: not set | Returns NULL if no shell is specified and rely on
# libc to substitute something sensible, usually /bin/sh
## default_shell = /bin/bash
# The default shell to use if an allowed shell is not installed
# on the machine.
# Default: /bin/sh
## shell_fallback = /bin/sh
# Override the login shell for all users. This option supersedes
# any other shell options. It can be set globally in the [nss]
# section or per domain.
#
# Default: not set (SSSD will use the value retrieved from LDAP)
## override_shell = /bin/bash
# default shell to use if an allowed shell is not installed on the machine.
#
# Default: /bin/sh
## shell_fallback = /bin/sh
# Restrict user shell to one of the listed values. The order of
# evaluation is:
# 1. If the shell is present in “/etc/shells”, it is used.
# 2. If the shell is in the allowed_shells list but not in “/etc/shells”, use the value of the shell_fallback parameter.
# 3. If the shell is not in the allowed_shells list and not in “/etc/shells”, the /usr/sbin/nologin shell is used.
#
# The wildcard (*) can be used to allow any shell. The wildcard is useful
# if you want to use shell_fallback in case the shell of a user is not in
# /etc/shells. An empty string for shell is passed as-is to libc.
# /etc/shells is only read on SSSD start up. If you change it, restart SSSD
#
# Default: Not set. The user shell is automatically used.
## allowed_shells =
# Any shell found here will be replaced with the shell_fallback
# Default: none
## vetoed_shells =
# Seconds the list of subdomains will be considered valid.
#
# Default: 60
get_domains_timeout = 60
# Seconds records in the in-memory cache will be valid.
#
# WARNING: Disabling the in-memory cache will have significant negative
# impact on the performance of SSSD abdd should only be
# used for testing
#
# NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set
# to "NO", client applications will not use the fast in-memory
# cache.
#
# Default: 300
memcache_timeout = 300
# Size in megabytes of the data table allocated inside fast in-memory
# cache for passwd requests. Setting the size to 0 will disable the passwd
# in-memory cache.
#
# WARNING: Disabled or too small in-memory cache can have significant
# negative impact on the performance of SSSD
#
# NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
# client applications will not use the fast in-memory cache.
#
# Default: 8
memcache_size_passwd = 8
# Size (in megabytes) of the data table allocated inside fast in-memory
# cache for group requests. Setting the size to 0 will disable the group
# in-memory cache.
#
# WARNING: Disabled or too small in-memory cache can have significant
# negative impact on the performance of SSSD
#
# NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
# client applications will not use the fast in-memory cache.
#
# Default: 6
memcache_size_group = 6
# Size in megabytes of the data table allocated inside the fast in-memory
# cache for initgroups requests. Setting the size to 0 will disable the
# initgroups in-memory cache.
#
# WARNING: Disabled or too small in-memory cache can have significant
# negative impact on the performance of SSSD
#
# NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
# client applications will not use the fast in-memory cache.
#
# Default: 10
memcache_size_initgroups = 10
# Some of the additional NSS responder requests can return more attributes
# than just the POSIX ones defined by the NSS interface. That list of
# attributes is controlled by this option. It is handled the same way as
# the “user_attributes” option of the InfoPipe responder but with no
# default values. See sssd-ifp(5) for details.
#
# NOTE: The InfoPipe responder provides a public D-Bus interface accessible
# over the system bus. The interface allows the user to query
# information about remote users and groups over the system bus.
#
# NOTE: To make configuration more easy, the NSS responder will check the
# sssd-ifp InfoPipe option if it is not set for the NSS responder.
#
# Default: not set, fallback to InfoPipe option
## user_attributes =
# The value that NSS operations that return users or groups will return
# for the "password" field.
#
# NOTE: This option can also be set per domain. If set, it will override
# the value in [nss] section
#
# Default: ""
# Default: "not set" ( for the remote domains)
# "x" ( for the files domain)
# "x" (proxy domain with nss_files and sssd-shadowutils target)
#
## pwfield = ""
[pam]
# each section can have a 'description' variable
description = "The sss_pam sub-process configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also sssctl debug-level
debug_level = 7
# If the authentication provider is offline, define how many days SSSD
# allows cached logins (in days since the last successful online login).
#
# Default: 0 (no limit)
offline_credentials_expiration = 1
# How many failed login attempts are allowed, if the authentication
# provider is offline
#
# Default: 0 (No limit)
offline_failed_login_attempts = 3
# The time in minutes which has to pass after offline_failed_login_attempts
# has been reached before a new login attempt is possible.
# If set to 0 the user cannot authenticate offline if offline failed login
# attempts has been reached. Only a successful online authentication can
# enable offline authentication again.
#
# Default: 5
offline_failed_login_delay = 15
# Controls what kind of messages are shown to the user during authentication.
# Higher verbosity will show more mesages.
# Currently sssd supports the following values:
# 0: do not show any message
# 1: show only important messages
# 2: show informational messages
# 3: show all messages and debug information
#
# Default: 1
pam_verbosity = 3
# Comma separated list of strings which allows to remove (filter) data sent
# by the PAM responder to sss_pam PAM module. There are different kind of
# responses sent to pam_sss e.g. messages displayed to the user or
# environment variables which should be set by pam_sss. While messages
# already can be controlled with the help of the pam_verbosity option this
# option allows to filter out other kind of responses as well.
#
# Currently the following filters are supported:
# ENV Do not send any environment variables to any service.
# ENV:var_name Do not send environment variable var_name to any service.
# ENV:var_name:service Exclude from sending the environment variable var_name to service.
#
# The list of strings can either be the list of filters which would set this
# list of filters and overwrite the defaults. Or each element of the list
# can be prefixed by a '+' or '-' character which would add the filter to
# the existing default or remove it from the defaults, respectively. Please
# note that either all list elements must have a '+' or '-' prefix or none.
# It is considered as an error to mix both styles.
#
# Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
# Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default
# list
pam_response_filter = ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
# For any PAM request while SSSD is online, the SSSD will attempt to
# immediately update the cached identity information for the user in order
# to ensure that authentication takes place with the latest information.
# A complete PAM conversation may perform multiple PAM requests, such as
# account management and session opening. This option controls, on
# a per-client-application basis, how long in seconds we can cache the
# identity information to avoid excessive round-trips to the identity
# provider.
#
# Default: 5
pam_id_timeout = 5
# Display a warning N days before the password expires.
#
# NOTE: that the backend server has to provide information about the
# expiration time of the password. If this information is missing, sssd
# cannot display a warning.
# If zero is set, then this filter is not applied: if the expiration
# warning was received from backend server, it will automatically be
# displayed.
#
# NOTE: This setting can be overridden by setting pwd_expiration_warning for a particular domain.
#
# Default: 0
pam_pwd_expiration_warning = 10
# Specifies time in seconds for which the list of subdomains will be
# considered valid.
# Default: 60
get_domains_timeout = 60
# Specifies the comma-separated list of UID values or user names that are
# allowed to run PAM conversations against trusted domains. Users not
# included in this list can only access domains marked as public with option
# "pam_public_domains". User names are resolved to UIDs at startup.
#
# NOTE: UID 0 is always allowed to access the PAM responder even if not in
# the pam_trusted_users list.
#
# Default: All users are considered trusted by default
## pam_trusted_users =
# Comma-separated list of domain names that are accessible even to untrusted
# users. Two values are defined:
# all Untrusted users are allowed to access all domains.
# none Untrusted users are not allowed to access any domains.
#
# Default: none
pam_public_domains = none
# Print a custom expiration message, replacing the default 'Permission denied'
# message.
#
# NOTE: Please be aware that message is only printed for the SSH service
# unless pam_verbosity is set to 3: show all messages and debug
# information.
#
# Default: none
pam_account_expired_message = Account expired, please contact help desk.
# Print a custom lockout message, replacing the default 'Permission denied'
# message.
#
# Default: none
pam_account_locked_message = Account locked, please contact help desk.
# Enable certificate based Smartcard authentication. This requires
# additional communication with the respective Smartcard stack. Enabling
# introduces delays to the authentication process, so this option is
# disabled by default.
#
# Default: False
pam_cert_auth = False
# The path to the certificate database. The path points to a file with
# trusted CA certificates and all their intermediatery chains. File must
# be in PEM format.
#
# Default: /etc/sssd/pki/sssd_auth_ca_db.pem
pam_cert_db_path = /etc/pki/tls/certs/vetinst.pem
# Ways to verify the PAM certificate. Values are the same comma separated
# list of values which the "certificate_verification" option has.
# Setting this option overrides the "certificate_verification" value in the
# "[sssd]" section. When not set, sssd uses the value of the
# 'certificate_verification' option defined in the afformentioned section.
#
# Valid options:
# no_ocsp, soft_ocsp, ocsp_dgst=sha1|sha256|sha384|sha512,
# no_verification, partial_chain, ocsp_default_responder=URL,
# ocsp_default_responder_signing_cert=NAME,
# crl_file=/PATH/TO/CRL/FILE, soft_crl
#
# Look at sssd.conf(5) for details
#
# Default: not set.
## pam_cert_verification =
# Seconds sss_pam has to wait for p11_child to finish.
#
# Default: 10
p11_child_timeout = 10
# PAM services which are permitted to contact domains of type "application"
#
# For more:
# https://docs.pagure.org/sssd.sssd/design_pages/non_posix_support.html
#
# PAM service names are the service names from the contents of /etc/pam.d/
#
# Default: Not set
## pam_app_services =
# Comma-separated list of PAM service names which will be allowed to use
# Smartcards.
# You can add another PAM service name to the default set by using
# "+service_name"
# or to explicitly remove a PAM service name by using
# "-service_name"
# even if the service in in the default set of services.
#
# The default set of PAM service names include:
# * login
# * su
# * su-l
# * gdm-smartcard
# * gdm-password
# * kdm
# * sudo
# * sudo-i
# * gnome-screensaver
# PAM service names are the service names from the contents of /etc/pam.d/
#
# Example:
## # pam_p11_allowed_services = +my_pam_service, -login
# This allows a custom PAM service name ("my_pam_service") and disables
#
# Default: Not set
## pam_p11_allowed_services
# Additional extra seconds to p11_child_timeout should the PAM responder
# wait, if a Smartcard is inserted and Smartcard authentication is
# required
#
# Default: 60
p11_wait_for_card_timeout = 60
# PKCS#11 URI which can be used to restrict the selection of devices used
# for Smartcard authentication. By default, p11_child of SSSD will search
# for a PKCS#11 slot or reader where the 'removable' flags is set and read
# the certificates from the inserted token from the first slot found. If
# multiple readers are connected, p11_uri can be used to tell p11_child to
# use a specific reader.
# See RFC-7512 for details on PKCS#11 URI
# Example:
# p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
# or
# p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
#
# To find a suitable URI, please check the debug output of p11_child. As an
# alternative the GnuTLS utility 'p11tool' will show PKCS#11 URIs, with the
# '--list-all' option.
#
# Default: none
## p11_uri =
# Force the PAM responder to perform an online lookup to get the current
# group memberships of the user trying to log in. This option controls
# when this should be done and the following values are allowed:
# always
# Always do an online lookup, please note that pam_id_timeout still
# applies
# no_session
# Only do an online lookup if there is no active session of the user,
# i.e. if the user is currently not logged in
# never
# Never force an online lookup, use the data from the cache as long as they are not expired
#
# Default: no_session
pam_initgroups_scheme = no_session
# Comma-separated list of PAM services that are allowed to try GSSAPI
# authentication using pam_sss_gss.so module.
# To disable GSSAPI authentication, set this option to “-” (dash).
#
# Note: This option can also be set per-domain which overwrites the value
# in [pam] section. It can also be set for trusted domains, which will
# overwrite the value in the domain section.
#
# Example:
# pam_gssapi_services = sudo, sudo-i
#
# Default: - (GSSAPI authentication is disabled)
pam_gssapi_services = -
# If True, SSSD will require that the Kerberos user principal that
# successfully authenticated through GSSAPI can be associated with the
# user who is being authenticated. Authentication will fail if the check
# fails.
# If False, every user that is able to obtained required service ticket
# will be authenticated.
#
# Note: This option can also be set per-domain which overwrites the value
# in the [pam] section. It can also be set for trusted domains which will
# overwrite the value in the domain section.
#
# Default: True
pam_gssapi_check_upn = True
# Comma-separated list of authentication indicators required to be present
# in a Kerberos ticket to access a PAM service that is allowed to try
# GSSAPI authentication using pam_sss_gss.so module.
#
#
# In GSSAPI, an authentication indicator is a data field that indicates
# the authentication mechanism being used for secure communication, such
# as Kerberos or NTLM.
#
# https://web.mit.edu/kerberos/krb5-latest/doc/admin/auth_indicator.html
# As of release 1.14, the KDC can be configured to annotate tickets if
# the client authenticated using a stronger preauthentication mechanism
# such as PKINIT or OTP. These annotations are called "authentication
# indicators." Service principals can be configured to require particular
# authentication indicators in order to authenticate to that service. An
# authentication indicator value can be any string chosen by the KDC
# administrator; there are no pre-set values
#
# Each element of the list can be either an authentication indicator name
# or a tupple "service:indicator". Indicators not prefixed with their
# respective PAM service name are required to allow access any to any PAM
# service configured to be used with pam_gssapi_services. The resulting list
# of indicators per PAM service is then checked against indicators in the
# Kerberos ticket during authentication by pam_sss_gss.so. Any indicator
# from the ticket that matches the resulting list of indicators for the
# PAM service is granted access. If none of the indicators in the list
# match, access is denied. If the resulting list of indicators for the PAM
# service is empty, access is not prevented.
#
# To disable GSSAPI authentication indicator check, set this option to
# "-" ( single dash )
# To disable the check for a specific PAM service, set the service to
# "serviceName:-"
#
# Note: This option can also be set per-domain. In such case, this will
# overwrite the value in the [pam] section. It can also be set for each
# trusted domain. Again, this will overwrite the value in the relevant
# domain section.
#
# The following authentication indicators are supported by IPA Kerberos
# deployments:
#
# * pkinit -- pre-authentication using X.509 certificates -- whether
# stored in files or on smart cards.
# * hardened -- SPAKE pre-authentication or any pre-authentication
# wrapped in a FAST channel.
# * radius -- pre-authentication with the help of a RADIUS server.
# * otp -- pre-authentication using integrated two-factor authentication
# (2FA or one-time password, OTP) in IPA.
# * idp -- pre-authentication using external identity provider.
#
# Example: Require access to SUDO services only for users which
# obtained their Kerberos tickets with a X.509 certificate
# pre-authentication (PKINIT)
#
# pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
#
# Default: not set (use of authentication indicators is not required)
## pam_gssapi_indicators_map
[sudo]
# each section can have a 'description' variable
description = "The sss daemon sudo configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also see sssctl debug-level
debug_level = 7
# These options can be used to configure the sudo service. The detailed
# instructions for configuration of sudo(8) to work with sssd(8) are in
# the manual page sssd-sudo(5).
# Evaluate the sudoNotBefore and sudoNotAfter attributes that implement
# time-dependent sudoers entries.
#
# Default: false
sudo_timed = False
# Maximum number of expired rules that can be refreshed at once. If number
# of expired rules is below threshold, those rules are refreshed with
# "rules refresh" mechanism. If the threshold is exceeded a "full refresh"
# of sudo rules is triggered instead. This threshold number also applies to
# IPA sudo command and command group searches.
#
# Default: 50
sudo_threshold = 50
[autofs]
# each section can have a 'description' variable
description = "The sss daemon autofs configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also see the debug-devel option of sssctl(8)
debug_level = 7
# Specify for how many seconds should the autofs responder negative cache
# hits (that is, queries for invalid map entries, like nonexistent ones)
# before asking the back end again.
#
# NOTE: the automounter only reads the master map on startup, so if any
# autofs-related changes are made to the sssd.conf, you also need to
# restart the automounter daemon, after restarting SSSD.
#
# Default: 15
autofs_negative_timeout = 15
[ssh]
# each section can have a 'description' variable
description = "The sss daemon ssh configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also see sssctl debug-level
debug_level = 7
# Hash host names and addresses in the managed known_hosts file.
#
# Default: false
ssh_hash_known_hosts = True
# Seconds to keep a host in the managed known_hosts file after its host
# keys were requested.
#
# Default: 180
ssh_known_hosts_timeout = 180
# If set to True, sssd will use sss_ssh_authorizedkeys(1) to return ssh
# keys derived from the public key of X.509 certificates stored in the
# user entry as well.
# See sss_ssh_authorizedkeys(1) for details.
#
# Essentially, what the above means is that there is an sssd responder
# ( subsystem ) which can go through a X.509 certificate and return any
# public ssh keys included in the certificate
# https://jhrozek.fedorapeople.org/sssd/2.1.0/man/sss_ssh_authorizedkeys.1.html
# https://docs.pagure.org/sssd.sssd/users/relnotes/notes_1_16_2.html
#
# > If the user entry contains certificates ... or there is a certificate
# > in an override entry for the user ... and the certificate is valid,
# > SSSD will extract the public key from the certificate and convert it
# > into the format expected by sshd.
#
# Default: True
ssh_use_certificate_keys = True
# By default the SSSD ssh responder will use all available certificate
# matching rules to filter the certificates, so that ssh keys are only
# derived from the matching ones. With this option the used rules can be
# further restricted with a comma separated list of mapping and matching
# rule names. All other rules will be ignored.
#
# Available values are 'all_rules' and 'no_rules' . Each will enable all
# or no rules, respectively. The latter means that no certificates will
# be filtered out and ssh keys will be generated from all valid
# certificates.
#
# If no rules are configured using 'all_rules' will enable a default rule
# which enables all certificates suitable for client authentication. This
# is the same behavior the SSSD PAM responder uses, if certificate
# authentication is enabled.
#
# A non-existing rule name is considered an error. If no rule is selected
# as a result, all certificates will be ignored.
#
# Default: not set, equivalent to 'all_rules', all found rules or the
# default rule are used
ssh_use_certificate_matching_rules = all_rules
# Path to file storing trusted CA certificates, in PEM format. The option
# is used to validate user certificates before deriving public ssh keys
# from them.
#
# Default: /etc/sssd/pki/sssd_auth_ca_db.pem
ca_db = /etc/sssd/pki/sssd_auth_ca_db.pem
[pac]
# each section can have a 'description' variable
description = "The sss daemon pac configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also see sssctl debug-level
debug_level = 7
# a PAC (Privilege Attribute Certificate) is a data structure used in
# Kerberos authentication to carry additional authorization information,
# such as group memberships and other attributes, alongside the regular
# Kerberos ticket.
## PAC responder configuration options
# The PAC responder works together with the authorization data plugin
# for MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The
# plugin sends the PAC data during a GSSAPI authentication to the PAC
# responder. The sub-domain provider collects domain SID and ID ranges
# of the domain the client is joined to and of remote trusted domains
# from the local domain controller. If the PAC is decoded and
# evaluated, some of the following operations are done:
#
# If the remote user does not exist in the cache, user is created. The
# UID is determined with the help of the SID. Trusted domains will have
# UPGs and the GID will have the same value as the UID. The home
# directory is set based on the subdomain_homedir parameter. The shell
# will be empty by default, i.e. the system defaults are used, but can
# be overwritten with the default_shell parameter.
#
# If there are SIDs of groups from domains which sssd knows about, the
# user will be added to those groups.
#
# Specify a comma-separated list of UID values or user names that are
# allowed to access the PAC responder. User names are resolved to UIDs at
# startup. Please note that although the UID 0 is used as the default, the
# default value can be overwritten, if this option is set. If overwrite the
# default, but you still want to allow the root user to have access to the
# PAC responder, which would be the typical case, you have to add 0 to the
# list of allowed UIDs as well.
#
# Default: 0 - only the root user is allowed to access the PAC responder
allowed_uids = 0
# Lifetime of the PAC entry in seconds. As long as the PAC is valid, the
# PAC data can be used to determine the group memberships of a user.
#
# Default: 300
pac_lifetime = 300
# Apply additional checks on the PAC of the Kerberos ticket which is
# available in Active Directory and FreeIPA domains.
#
# NOTE: Kerberos ticket validation must be enabled to be able to check
# the PAC ( krb5_validate option must be set to 'True' ) . This
# is the default for the IPA and AD provider. If krb5_validate
# is set to 'False', the PAC checks will be skipped.
#
# The following options are the accepted values. They can be used alone
# or in a comma-separated list:
#
# * no_check
# The PAC must not be present. Even if present, no additional checks
# will be performed.
#
# * pac_present
# The PAC must be present in the service ticket which SSSD will
# request, with the help of the user's TGT. If the PAC is not
# available, the authentication will fail.
#
# * check_upn
# If the PAC is present, check if the user principal name (UPN)
# information is consistent.
#
# * check_upn_allow_missing
# This option should be used together with 'check_upn'. It handles
# the case where a UPN is set on the server-side but is not read by
# SSSD.
#
# The typical example is a FreeIPA domain where 'ldap_user_principal'
# is set to a not existing attribute name.
#
# This was typically done to work-around issues in the handling of
# enterprise principals by FreeIPA. The issue has been fixed and
# there should not be a need to set 'ldap_user_principal'. The info
# is maintained in the case it is needed, though.
#
# Currently, this option is set by default to avoid regressions in
# such environments. A log message will be added to the system log
# and SSSD's debug log in case a UPN is found in the PAC but not in
# SSSD's cache. To avoid this log message it would be best to
# evaluate if the 'ldap_user_principal' option can be removed. If
# this is not possible, removing 'check_upn' will skip the test and
# avoid the log message.
#
# * upn_dns_info_present
# The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'.
#
# * check_upn_dns_info_ex
# If the PAC is present and the extension to the UPN-DNS-INFO buffer
# is available check if the information in the extension is consistent.
#
# * upn_dns_info_ex_present
# The PAC must contain the extension of the UPN-DNS-INFO buffer,
# implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'.
#
# Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
pac_check = no_check
#
[rec]
# each section can have a 'description' variable
description = "The sss daemon Session recording configuration section"
# Output Fatal failures, Critical failures, Serious failures, Minor failures,
# Configuration settings, Function data, Trace messages for operation
# functions and Trace messages for internal control functions
# 0-10, 10 max
# Also see sssctl debug-level
debug_level = 7
# The following options can be used to configure session recording. Session
# recording works in conjunction with tlog-rec-session(8), a part of the
# tlog package, to log what users see and type when they log in on a text
# terminal. See also: sssd-session-recording(5).
# Specify the scope of session recording:
# * none
# No users are recorded.
# * some
# Users/groups specified by users and groups options are recorded.
# * all
# All users are recorded.
#
# Default: none
scope = none
# Comma-separated list of users to have session recording enabled. Matches
# user names as returned by NSS, meaning after the possible space
# replacement, case or any other sort of NSS changes.
#
# Default: Empty. Matches no users.
## users =
# Comma-separated list of user groups, members of which should have session
# recording enabled. user names as returned by NSS, meaning after the
# possible space replacement, case or any other sort of NSS changes.
#
# NOTE: Setting this option to anything has a considerable performance
# cost, as each uncached request for a user requires retrieving
# and matching of the groups the user is a member of.
#
# Default: Empty. Matches no groups.
## groups =
# Comma-separated list of users to be excluded from recording. Only
# applicable if 'scope = all'.
#
# Default: Empty. No users excluded.
## exclude_users =
# Comma-separated list of groups, members of which should be excluded from
# recording. Only applicable if 'scope = all'.
#
# NOTE: Setting this option to anything has a considerable performance
# cost, as each uncached request for a user requires retrieving
# and matching the groups the user is a member of.
#
# Default: Empty. No groups excluded.
## exclude_groups =
[domain/mydomain.on]
# each section can have a 'description' variable
description = "The sss daemon session domain configuration section for domain/mydomain.on"
# Options present in a domain configuration section. Said section is named
## [domain/NAME]
# Explicitly enable or disable the domain. If set to "True", the domain is always
# "enabled". If "False", the domain is always "disabled".
#
# If this option is not set, the domain is enabled only if it is listed
# in the domains option in the “[sssd]” section.
#
enabled = True
# Specify whether the domain is meant to be used by POSIX-aware clients,
# such as the NSS (Name Service Switch ), or by applications that do not
# need POSIX data to be present or generated. Only objects from POSIX
# domains are available to the operating system interfaces and utilities.
#
# Allowed values for this option are "posix" and "application". POSIX
# domains are reachable by all services. Application domains are only
# reachable from the InfoPipe responder and the PAM responder. For more
# information, see sssd-ifp(5)
#
# NOTE: The application domains are currently well tested with
# the id_provider option set to 'ldap', only.
# For an easy way to configure non-POSIX domains, please
# see the "Application domains" section.
#
# Default: posix
domain_type = posix
# UID and GID limits for the domain. If a domain contains an entry that
# is outside these limits, it is ignored. For users, this affects the
# primary GID limit. The user will not be returned to NSS if either the
# UID or the primary GID is outside the range. For non-primary group
# memberships, those that are in range will be reported as expected.
#
# These ID limits affect even saving entries to cache, not only returning
# them by name or ID.
#
# Default: 1 for min_id, 0 (no limit) for max_id
min_id = 1
max_id = 0
# Determine if a domain can be enumerated, that is, whether the domain can
# list all the users and group it contains. Note that it is not required
# to enable enumeration in order for secondary groups to be displayed.
# Enumerating a domain requires SSSD to download and store all user and
# group entries from the remote server.
#
# NOTE: Enabling enumeration has a moderate performance impact on
# SSSD while enumeration is running. It may take up to several
# minutes after SSSD startup to fully complete enumerations.
# During this time, individual requests for information will
# go directly to LDAP. Responses may be slow, due to the heavy
# enumeration processing. Saving a large number of entries to
# cache after the enumeration completes might also be CPU
# intensive as the memberships have to be recomputed. This can
# lead to the sssd_be process becoming unresponsive or even
# restarted by the internal watchdog.
#
# While the first enumeration run is trying to complete, requests for the
# complete user or group lists may return no results until processing is
# finished. Further, enabling enumeration may increase the time necessary
# to detect network disconnection, as longer timeouts are required to
# ensure that enumeration lookups are completed successfully. For more
# information, refer to the man pages for the specific id_provider in use.
# For the reasons cited above, enabling enumeration is not recommended,
# especially in large environments.
#
# This parameter can have one of the following values:
# True
# Users and groups are enumerated
# False
# No enumerations for this domain
#
# Default: False
enumerate = True
# Enable enumeration of any of autodetected trusted domains. The supported
# values are:
# all
# All discovered trusted domains will be enumerated
# none
# No discovered trusted domains will be enumerated
# Optionally, a list of one or more domain names can enable enumeration
# just for those specific trusted domains.
#
# Default: none
subdomain_enumerate = none
# Seconds nss_sss should consider entries valid before asking the backend
# again. The cache expiration timestamps are stored as attributes of
# individual objects in the cache. Changing the cache timeout only has
# effect for newly added or expired entries. You should run the
# sss_cache(8) tool in order to force refresh of entries that have already
# been cached.
#
# Default: 5400
entry_cache_timeout = 5400
# The time in seconds nss_sss should consider user entries valid before
# asking the backend again
#
# Default: equal to entry_cache_timeout (5400)
entry_cache_user_timeout = 5400
# The time in seconds nss_sss should consider group entries valid before
# asking the backend again
#
# Default: equal to entry_cache_timeout (5400)
entry_cache_group_timeout = 5400
# The time in seconds nss_sss should consider netgroup entries valid before
# asking the backend again
#
# Default: entry_cache_timeout (5400)
entry_cache_netgroup_timeout = 5400
# The time in seconds nss_sss should consider service entries valid before
# asking the backend again
#
# Default: entry_cache_timeout (5400)
entry_cache_service_timeout = 5400
# The time in seconds nss_sss should consider hosts and networks entries
# valid before asking the backend again
#
# Default: entry_cache_timeout (5400)
entry_cache_resolver_timeout = 5400
# The time in seconds sudo should consider rules valid before asking the
# backend again
#
# Default: entry_cache_timeout (5400)
entry_cache_sudo_timeout = 5400
# The time in seconds the autofs service should consider automounter maps
# valid before asking the backend again
#
# Default: entry_cache_timeout (5400)
entry_cache_autofs_timeout = 5400
# The time in seconds to cache a host key for
#
# Default: entry_cache_timeout (5400)
entry_cache_ssh_host_timeout = 5400
# The time in seconds to keep the local computer entry before asking the
# backend again
#
# Default: entry_cache_timeout (5400)
entry_cache_computer_timeout = 5400
# Specify how many seconds SSSD has to wait before triggering a background
# refresh task which will refresh all expired or nearly expired records.
# The background refresh will process users, groups and netgroups in the
# cache. For users who have performed the initgroups operation in the
# past[1], both the user entry and the group membership are updated.
# [1] get group membership for user, typically at login
#
# This option is automatically inherited for all trusted domains.
# If you want to set this value, considering setting it to
# 3/4 * entry_cache_timeout.
#
# Cache entry will be refreshed by the background task when 2/3 of cache
# timeout has already passed. If there are existing cached entries, the
# background task will refer to their original cache timeout values
# instead of current configuration value. This may lead to a situation in
# which the background refresh task appears to not be working. This is by
# design to improve offline mode operation and reuse of existing valid
# cache entries. To make this change instant, the user may want to
# manually invalidate existing cache. See sss_cache(8) for more details
# on how to manipulate the SSSD cache
#
# Default: 0 (disabled)
refresh_expired_interval = 0
# Determine if user credentials are also cached in the local LDB cache.
# The cached credentials refer to passwords, includomg the first
# (long term) factor of two-factor authentication, but not other
# authentication mechanisms. Passkey and Smartcard authentications are
# expected to work offline as long as a successful online authentication
# is recorded in the cache without additional configuration.
#
# NOTE: While credentials are stored as a salted SHA512 hash, caching
# the credentials can still potentially pose some security risk
# in the case an attacker manages to get access to a cache file
# and brute force attack a password against the cache. Access to
# to a cache file normally requires privileged access.
#
# Default: False
cache_credentials = False
# Determine the minimal length the first authentication factor (long term
# password) must have to be saved as SHA512 hash into the cache, provided
# 2-Factor-Authentication (2FA) is used and credentials are configured to
# be cached.
# Setting this value avoids the security trouble that any short PINs in a
# PIN-based 2FA scheme are saved in the cache. If they were to be savd, it
# would make them easy targets for brute-force attacks.
#
# Default: 8
cache_credentials_minimal_first_factor_length = 8
# Number of days entries are left in cache after last successful login.
# After this limit, entries are removed from the cache. Set to 0 for
# unlimited days. The value of this parameter must be greater than or
# equal to offline_credentials_expiration.
# Default: 0 (unlimited)
account_cache_expiration = 0
# Display a warning N days before the password expires. If set set to zero
# then this filter is not applied. But, if the expiration warning is
# received from a backend server, it will automatically be displayed.
#
# NOTE: The backend server has to provide information about the
# expiration time of the password. If this information is missing,
# sssd cannot display a warning. Also, to use this feature, an auth
# provider has to be configured for the backend.
#
# Default: 7 (Kerberos), 0 (LDAP)
pwd_expiration_warning = 7
# The identification provider used for the domain.
# Supported ID providers are:
# proxy: Support a legacy NSS provider.
# files: FILES provider. See sssd-files(5) for more information
# on how to mirror local users and groups into SSSD.
# ldap: LDAP provider. See sssd-ldap(5) for more information on
# configuring LDAP as a provider.
# ipa: FreeIPA and Red Hat Identity Management provider. See
# sssd-ipa(5) for more information on configuring FreeIPA
# as a provider.
# ad: Active Directory provider. See sssd-ad(5) for more
# information on configuring Active Directory as a provider.
#
# Default: #7335
id_provider = ad
# Use the full name and domain as the login name of the user reported to
# NSS. The format of the login name is described by the full_name_format
# option for the specific domain
# If set to True, all requests to this domain must use fully qualified
# names. For example, if used in LOCAL domain that contains a "test" user,
# getent passwd test would not find the user while getent passwd test@LOCAL
# would.
# NOTE: This option has no effect on netgroup lookups due to their
# tendency to include nested netgroups without qualified names.
# For netgroups, all domains will be searched when an unqualified
# name is requested.
#
# Default: False (True for trusted domain/sub-domains or if default_domain_suffix is used)
use_fully_qualified_names = True
# Decide if SSSD return group members for group lookups.
#
# If set to TRUE, the group membership attribute is not requested from the
# ldap server and group members are not returned when processing group
# lookup calls, such as getgrnam(3) or getgrgid(3). As a result,
# "getent group $groupname" would return the requested group as empty.
#
# Enabling this option is used for faster access provider checks for group
# membership. This is especially true for groups containing many members.
#
# This option can be also set per subdomain or inherited via subdomain_inherit.
#
# Default: False
ignore_group_members = False
# The authentication provider used for the domain. Supported auth providers
# are:
# ldap: Used for native LDAP authentication. See sssd-ldap(5) for more
# information on configuring this provider.
# krb5: Used for Kerberos authentication. See sssd-krb5(5) for more
# information on configuring this provider.
# ipa: FreeIPA and Red Hat Identity Management provider. See sssd-ipa(5)
# for more information on configuring this provider.
# ad: Active Directory provider. See sssd-ad(5) for more information on
# configuring this provider.
# proxy: Used for relaying authentication to some other PAM target.
# none: Disables authentication explicitly.
#
# Default: the value of "id_provider", if set and can handle authentication requests.
auth_provider = ad
# The access control provider used for the domain. Supported control
# provider backends are:
#
# permit: Always allow access. This is also the only permitted access
# provider used when connected to a local domain.
# deny: Always deny access.
#
# allow and deny are two built-in access providers, in addition to any
# included in installed backends.
#
# ldap: Use the LDAP provider to get access control. See sssd-ldap(5)
# for more information on configuring this provider.
# krb5: .k5login based access control. See sssd-krb5(5) for more
# information on configuring this provider.
# ipa: FreeIPA and Red Hat Identity Management provider. See
# sssd-ipa(5) for more information on configuring this provider.
# ad: Active Directory provider. See sssd-ad(5) for more information
# on configuring this provider.
# simple: Access control based on access or deny lists. See sssd-simple(5)
# for more information on configuring this provider.
# proxy: Access provider for relaying access control to another PAM module.
#
# Default: permit
access_provider = ad
# The provider which should handle change password operations for the
# domain.Supported change password providers are:
#
# none: Disallow password changes explicitly.
# ldap: Use the LDAP provider to change a password stored in a LDAP
# server. See sssd-ldap(5) for more information on configuring
# this provider.
# krb5: Use the Kerberos provider to change the Kerberos password. See
# sssd-krb5(5) for more information on configuring this provider.
# ipa: FreeIPA and Red Hat Identity Management provider. See
# sssd-ipa(5) for more information on configuring this provider.
# ad: Active Directory provider. See sssd-ad(5) for more information
# on configuring this provider.
# proxy: Use this provider to relay password changes to some other PAM
# target.
#
# Default: Use the value of auth_provider, provided it is set and can
# handle change password requests.
chpass_provider = ad
# The SUDO provider used for the domain. Supported SUDO providers are:
#
# none: Disable users invoking SUDO explicitly.
# ldap: Use the LDAP provider to retrieve rules stored in LDAP. See
# sssd-ldap(5) for more information on configuring LDAP.
# ipa: Use the FreeIPA and Red Hat Identity Management provider to
# retrive sudo rules. See sssd-ipa(5) for more information on
# configuring this provider.
# ad: Active Directory provider. See sssd-ad(5) for more information
# on configuring this provider.
#
# The detailed instructions for configuration of sudo_provider are in
# the manual page sssd-sudo(5). There are many configuration options
# that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5).
#
# NOTE: Sudo rules are periodically downloaded in the backgroundm
# unless the sudo provider is explicitly disabled.
# Set sudo_provider = none to disable all sudo-related
# activity in SSSD.
#
# Default: Use the value of id_provider, if set.
sudo_provider = ad
# The provider which should handle loading of SELinux settings. Supported
# SELinux providers are:
#
# none: disallows fetching SELinux settings explicitly.
# ipa: Load selinux settings from an IPA server. See sssd-ipa(5) for
# more information on configuring this provider.
#
# NOTE: This provider will be called right after the access
# provider.
#
# Default: Use the value of id_provider, if set and can handle SELinux
# loading requests. #7336
## selinux_provider = none
# The provider which should handle fetching of subdomains. Supported
# subdomain providers are:
#
# none: Disallow fetching subdomains explicitly.
# ipa: Load the list of subdomains from a configured IPA server.
# See sssd-ipa(5) for more information on configuring IPA.
# ad: Load the list of subdomains from a configured Active Directory
# server. See sssd-ad(5) for more information on configuring the
# AD provider.
#
# NOTE: This value should be always the same as id_provider.
#
# Default: Use the value of id_provider, if set.
subdomains_provider = ad
# The provider which configures and manages user session related tasks.
# The only user session task currently provided with this options is the
# integration with Fleet Commander, a tool to manage and deploy desktop
# profiles across large networks under FreeIPA or Active Directory.
# https://fleet-commander.org/ for more information.
# Supported session providers are:
#
# none: does not perform any kind of user session related tasks.
# ipa: Allow performing user session related tasks. See sssd-ipa(5) for more information on configuring IPA.
#
# NOTE: In order to have this feature working as expected,
# SSSD must be running as root.
#
# Default: Use the value of id_provider, if set and can perform
# session-related tasks.
session_provider = none
# The autofs provider used for the domain. Supported autofs providers are:
#
# none: Disable the autofs provider explicitly.
# ldap: Use the LDAP provider to load maps stored in LDAP. See
# sssd-ldap(5) for more information on configuring LDAP.
# ipa: Use the FreeIPA and Red Hat Identity Management provider to
# load maps stored in an IPA server. See sssd-ipa(5) for more
# information on configuring the IPA provider.
# ad: Use the Active Directory provider to load maps stored in an AD
# server. See sssd-ad(5) for more information on configuring the
# AD provider.
#
# Default: Use the value of id_provider, if set.
autofs_provider = ad
# The provider used for retrieving host identity information. Supported
# hostid providers are:
#
# none: Disable retrieving hostid information explicitly.
# ipa: Use the FreeIPA and Red Hat Identity Management provider to
# load host identity stored in an IPA server. See sssd-ipa(5)
# for more information on configuring the IPA provider.
#
# Default: Use the value of id_provider, if set.
hostid_provider = none
# The provider which should handle hosts and networks lookups. Supported
# resolver providers are:
#
# none: Disallow fetching hosts and networks explicitly.
# proxy: Forward lookups to another NSS library.
# See "proxy_resolver_lib_name" !!!! #7337 !!!!
# ldap: Use the LDAP provider to fetch hosts and networks stored in
# LDAP. See sssd-ldap(5) for more information on configuring the
# LDAP provider.
# ad: Use the Active Directory provider to fetch hosts and networks
# stored in AD. See sssd-ad(5) for more information on configuring
# the AD provider.
#
# Default: Use the value of id_provider, if set.
resolver_provider = ad
# Regular expression for this domain that describes how to parse the string
# containing user name and domain into these components. The "domain" can
# match either the SSSD configuration domain name. In the case of IPA use,
# trust subdomains and Active Directory domains or the flat (NetBIOS) name
# of the domain.
#
# Default: ^((?P.+)@(?P[^@]*)|(?P[^@]+))$
# This allows two different styles for user names:
# * username
# * username@domain.name
#
# Default for the AD and IPA provider:
# ^(((?P[^\\]+)\(?P.+))|((?P.+)@(?P[^@]+))|((?P[^@\\]+)))$
# This allows three different styles for user names:
# * username
# * username@domain.name
# * domain\username
#
# The first two correspond to the general default. The third expression is
# introduced to allow easy integration of users from Windows domains.
# The default re_expression uses the '@' character as a separator between
# the name and the domain. As a result of this setting, the default
# expression does not accept the '@' character in short names, as it is
# allowed in Windows group names. If a user wishes to use short names
# which include the '@' character, they must create their
# own re_expression.
#
# If not set, re_expression depends on the type of backend provider used.
## re_expression ==
# A printf(3)-compatible format string that describes how to compose a
# fully qualified name from user name and domain name components.
# The following expansions are supported:
# %1$s: user name
# %2$s: domain name as specified in the SSSD config file.
# %3$s: domain flat name. Mostly usable for Active Directory
# domains, both directly configured or discovered via IPA
# trusts.
#
# Default: %1$s@%2$s
full_name_format = %1$s@%2$s
# Choose the preferred address family to use when performing DNS lookups.
# Supported values:
#
# ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
# ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
# ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
# ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
#
# Default: ipv4_first
lookup_family_order = ipv4_first
# Milliseconds SSSD would try to talk to a DNS server
# before trying the next DNS server.
#
# #7340
#
# NOTE: If you use the AD provider, it will use this option for the
# CLDAP ping timeouts as well
# milliseconds are 10^-3
#
# See section FAILOVER for more information about service resolution.
#
# Default: 1000
dns_resolver_server_timeout = 1000
# Seconds to wait to resolve a single DNS query before trying
# the next DNS hostname or next DNS server in host
# discovery.
#
# See section FAILOVER for more information about service resolution.
#
# Default: 3
dns_resolver_op_timeout = 3
# Seconds to wait for a reply from the internal fail over service before
# assuming that the service is unreachable. If this timeout is reached,
# the domain will continue to operate in offline mode.
#
# See section FAILOVER for more information about service resolution.
#
# Default: 6
dns_resolver_timeout = 6
# Configure use of the DNS resolver. The DNS resolver searches the domain
# list defined in the "search" directive from the resolv.conf file. This
# can lead to delays in environments with improperly configured DNS.
# If fully qualified domain names or srv records are used in the SSSD
# configuration, setting this option to FALSE will prevent using the
# DNS resolver in such environments and prevent delays.
#
# Default: True
dns_resolver_use_search_list = True
# Specify the domain SSSD should use, if service discovery is used in the
# back end.
#
# #7341
#
# Default: Use the domain part of the hostname of the machine
## dns_discovery_domain =
# Override the primary GID value with the one specified.
#
# Default: -
## override_gid =
# Treat user and group names as case sensitive. Possible option values are:
# True: Case sensitive. This value is invalid for AD provider.
# Using this provider, user and group names are turned to
# lowercase.
# False: Case insensitive.
# Preserving: Same as False (case insensitive), but does not lowercase
# user and group names as the result of an NSS operation.
#
# NOTE 1: Regardless of the value used, name aliases, services and
# protocol names are lowercased.
#
# NOTE 2: If you have a trusted domain provided by IPA, and you want
# to set this value in any way, you need to set it to the
# same value both in this client and in the SSSD on the IPA
# server.
#
# This option can be also set per subdomain or inherited via
# the option subdomain_inherit.
#
# Default: False for AD provider, True for all others.
case_sensitive = False
# Comma-seperated list of configuration parameters which should be
# inherited by any subdomain. The following parameters are those allowed
# to be inherited, currently:
# ldap_search_timeout
# ldap_network_timeout
# ldap_opt_timeout
# ldap_offline_timeout
# ldap_enumeration_refresh_timeout
# ldap_enumeration_refresh_offset
# ldap_purge_cache_timeout
# ldap_purge_cache_offset
# ldap_krb5_keytab FIXME FIXME FIXME (the value of krb5_keytab will be used if ldap_krb5_keytab is not set explicitly)
# ldap_krb5_ticket_lifetime
# ldap_enumeration_search_timeout
# ldap_connection_expire_timeout
# ldap_connection_expire_offset
# ldap_connection_idle_timeout
# ldap_use_tokengroups
# ldap_user_principal
# ignore_group_members
# auto_private_groups
# case_sensitive
#
# Example:
# subdomain_inherit = ldap_search_timeout,ldap_network_timeout,
# ldap_opt_timeout,ldap_offline_timeout,ldap_enumeration_refresh_timeout,
# ldap_enumeration_refresh_offset,ldap_purge_cache_timeout,
# ldap_purge_cache_offset,ldap_krb5_keytab,ldap_krb5_ticket_lifetime,
# ldap_enumeration_search_timeout,ldap_connection_expire_timeout,
# ldap_connection_expire_offset,ldap_connection_idle_timeout,
# ldap_use_tokengroups,ldap_user_principal,ignore_group_members,
# auto_private_groups,case_sensitive
#
# NOTE: This option is available only if the provider is the IPA or the AD provider.
#
# Default: none
## subdomain_inherit = ldap_search_timeout,ldap_network_timeout,ldap_opt_timeout,ldap_offline_timeout,ldap_enumeration_refresh_timeout,ldap_enumeration_refresh_offset,ldap_purge_cache_timeout,ldap_purge_cache_offset,ldap_krb5_keytab,ldap_krb5_ticket_lifetime,ldap_enumeration_search_timeout,ldap_connection_expire_timeout,ldap_connection_expire_offset,ldap_connection_idle_timeout,ldap_use_tokengroups,ldap_user_principal,ignore_group_members,auto_private_groups,case_sensitive
# Set the default value for all subdomains within this domain.
# You can either provide an absolute path or printf(3)-like template.
# In the template, the same sequences are substituted, as
# in override_homedir:
#
# %u : Login name
# %U : UID number
# %d : Domain name
# %f : Fully qualified user name (user@domain)
# %l : The first letter of the login name
# %P : UPN - User Principal Name (user@REALM or user@domain)
# %o : The original home directory retrieved from the identity provider.
# %h : The original home directory retrieved from the identity provider, but in lower case.
# %H : The value of configure option homedir_substring.
# %% : A literal '%'
#
# In subdomain_homedir, you can additionally use:
# %F : flat (NetBIOS) name of a subdomain.
#
# NOTE: If set, this value can be overwriten by the value of the
# override_homedir option.
#
# Default: /home/%d/%u
subdomain_homedir = /data/posit/home/%u
# Various tags stored by the realmd configuration service for this domain.
# Default: -
realmd_tags (string)
# Seconds since last successful online authentication where cached
# credentials can be use to authenticate a user, when SSSD is in offline
# mode. If the credentials are incorrect, SSSD tries to go back to online
# mode and connect upstream to retry retry authenticating the user.
#
# #7351
#
# This value is inherited by all trusted domains. At the moment it is not
# possible to set a different value per trusted domain.
#
# Set to 0 to disable
#
# NOTE: If "cached_auth_timeout" is longer than "pam_id_timeout", the
# backend could be called to handle "initgroups."
#
# Default: 0 (disabled)
cached_auth_timeout = 0
# Local-to-this-particular-system user authentication methods policy.
#
# Some backends (LDAP, proxy) support only a password-based authentication
# while others can handle
# * PKINIT-based Smartcard authentication (AD, IPA)
# * two-factor authentication (IPA)
# * or other methods against a central authority.
#
# In such cases, authentication is only performed with the methods supported by the backend.
#
# There are three possible values for this option
# match: Used to match offline and online states for Kerberos methods.
# only: Ignore the online methods and only offer the local ones.
# enable: : Explicitly define the methods for local authentication. E.g.:
# "enable:passkey" enables passkey for local authentication, only.
# Multiple enable values must be comma-separated:
# "enable:passkey,enable:smartcard"
#
# #7352
#
# NOTE: Smartcard authentication can take higher precedence than the
# authentication methods supported by the backend. If that happens,
# user will be prompted for a PIN instead of a password prompt.
# This depends on:
# 1. Enabling local Smartcard authentication as as a a provider
# 2. A Smartcard is present in a Smartcard reader
#
# The following configuration example allows local users to authenticate
# locally using any enabled method (i.e. smartcard, passkey).
#
# [domain/shadowutils]
# id_provider = proxy
# proxy_lib_name = files
# auth_provider = none
# local_auth_policy = only
#
# The "files" provider ignores the local_auth_policy option and supports
# Smartcard authentication, by default.
#
# Default: match
local_auth_policy = match
# Handle the way private groups are created for ??? primary description of option missing ???
# There are environments that wish to stop maintaining ??? (this needs fleshing out and rewording) a separate
# group objects for the user private groups ??? , but also wish to retain the existing user private groups ??? where do these private groups come from ???
#
# There are three available values:
#
# true: Create the private group of a user ??? unconditionally ???,
# using the UID number of the user as the private GID.
# Essentially, this creates a seperate group for the specific
# user, much like users ??? in Linux ??? have the same uid/gid.
# The GID number ??? provided by who ??? is ignored in this case.
# ??? Whose GID number ???
#
# NOTE: Because the GID number and the user private group are
# inferred from the UID number, a user cannot have multiple
# ??? entries where ??? entries with the same UID or GID
# when using this option: Enabling this option enforces
# uniqueness across the ??? which ID ??? ID space.
#
# false: Always use the primary GID number ??? PROVIDED BY WHO ??? of
# the user. The ??? PROVIDED BY WHO? resulting? effective ???
# ??? GID number must refer to a group object in the LDAP database. ??? ??? is this option used in LDAP only? ???
#
# hybrid: Autogenerate a primary group for those user entries where UID
# and GID numbers must have the same value, but the GID number
# does not correspond to a ??? (are there fake group objects)
# real ??? group object in LDAP.
# If the primary GID of the user matches to a group object in
# LDAP, set the primary GID of the user to the LDAP group object
#
# If the ??? LDAP provided ??? UID and GID of a user are different
# then the GID must correspond to a group entry ??? Where ???.
# If the GID does not correspond ??? to a group entry in LDAP ???
# then the GID is simply not resolvable ??? what does this mean? What are the consequences ???
#
# The value of auto_private_groups can either be set per subdomains in a
# seperate subsection, for example:
#
# [domain/forest.domain/sub.domain]
# auto_private_groups = false
#
# or globally for all subdomains in the main forest domain section using
# the subdomain_inherit option:
#
# [domain/forest.domain]
# subdomain_inherit = auto_private_groups
# auto_private_groups = false
#
# Default: False for subdomains which use ??? what are assigned POSIX IDs??? assigned POSIX IDs; True for subdomains which use automatic ID-mapping.
auto_private_groups = False
# The proxy target PAM proxies to. ??? please expand and give references ??
#
# ??? Under what conditions would one use this option ??
#
# If set, you have to assign an existing pam configuration or create a new
# one and add the service name here. As an alternative, you can enable local
# authentication with the local_auth_policy option.
# ??? fleshing out, maybe example? ???
#
# Default: Not set by default.
## proxy_pam_target =
# The name of the NSS library to use in proxy domains. The NSS functions
# searched for in the library are in the form of
# _nss_$(libName)_$(function). For example, _nss_files_getpwent .
#
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/domain_configuration_options-configuring_a_proxy_domain\#:~:text=A%20proxy%20with%20SSSD%20is,not%20be%20able%20to%20use .
# Specify which existing NSS library to proxy identity requests through ??? more fleshing out would be nice, even if its from RedHat docs ???
# The proxy library is loaded using the proxy_lib_name parameter. ??? why do we want to do that ???
#
# Default: Not set by default.
## proxy_lib_name =
# The name of the NSS library to use for hosts and networks lookups in
# proxy domains. The NSS functions searched for in the library are in
# the form of _nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r.
#
# ??? Why would a sysadmin want to set this? what is the use case? what are the consequences ???
# ??? Maybe make a small section to explain? or point to the relevant places in the sssd-proxy ???
#
# Default: Not set by default
## proxy_resolver_lib_name =
# When looking up a user or group by name in the proxy provider, a second
# lookup by ??? what type of ??? ID is performed. We ask the provider if
# the name of the user or the group submited is the primary name/object or
# an alias. If it is an alias, we retried the primary name/object.
# Setting this option to true would cause the SSSD to perform the ??? ID
# lookup from cache for performance reasons. ??? rewording? expanding?
#
# Default: False
proxy_fast_alias = False
# Specify the number of pre-forked proxy children when using the proxy
# provider. Useful for high-load SSSD environments where sssd may run out
# of available child slots ??? what is a child slot ???. ??? Allowing too many
# forks would cause issues, either due to blocking or resource contention. ???
#
# Default: 10
proxy_max_children = 10
# [Application domains]
# each section can have a 'description' variable
# description = "The Application domains SSSD daemon configuration section"
# SSSD utilizes the Linux system D-bus[1] , via it's D-bus
# interface ( sssd-ifp(5) ). As such, SSSD can be used to proxy any
# D-bus-enabled application to any of the authentication and authorization
# mechanisms available to SSSD.
#
# SSSD, as a Linux-based application, uses POSIX attributes to match
# users and file ownership, meaning, it utilizes User IDs (uid) and Group
# IDs (gid). For applications which have their own, non-POSIX compliant
# user management system, SSSD can be configured as a bridge between the
# app and POSIX. That is done either by inferring the uid/gid in the case
# of the AD provider or by creating the required POSIX attributes and
# keeping track of them.
#
# This is where application domains come into play: The system administrator
# can configure a section for the specific application and can proxy calls
# to AD or LDAP, for example, even if the original application is unaware
# of such. The administrator can either configure the application by itself
# or have it inherit properties from a domain. Application domain are
# defined as [application/NAME_OF_APPLICATION] . We will explain domain
# property inheritance through the following example:
#
# [sssd]
# description = "Partial, relevant SSSD configuration"
# domains = appdom, posixdom
#
# [ifp]
# description = "sssd-ipf(5) is the Linux D-Bus provider"
# user_attributes = +phone
#
# [domain/posixdom]
# description = "definition and properties for domain posixdom. This domain uses POSIX attributes such as uid, gid and extended groups the user may be part of"
# id_provider = ldap
# ldap_uri = ldap://ldap.example.com
# ldap_search_base = dc=example,dc=com
#
# [application/appdom]
# description = "definition of the application domain appdom. This appilcation domain inherits the properties of the posixdom domain via the inherit_from property"
# inherit_from = posixdom
# ldap_user_extra_attrs = phone:telephoneNumber
#
# In this setup, we have two domains:
# 1. One authentication domain using LDAP ( [domain/posixdom] )
# 2. One application domain ( [application/appdom] )
#
# SSSD listens?subscribes? to the D-Bus for calls from the appdom
# application, proxies authentication connections
# to ldap://ldap.example.com and returns the relevant information to the
# application. In addition, SSSD requests the telephoneNumber LDAP attribute
# and stores it as the phone attribute in the ??? which cache ??? cache. SSSD
# then, makes the phone attribute accesible to the application via D-Bus. As
# long as you know what is the name of the property the application requests,
# the application can retrieve the value of the property through the D-Bus
# interface.
#
# NOTE: If you set up an application domain, you must explicitly
# declare it in the [sssd] "domains" parameter. Not declaring
# the application domain will confuse the lookup order between
# the application domain and its POSIX parent domain. ??? is set correctly ??? clarify please
#
# ??? it is unclear how SSSD matches +phone to phone:telephoneNumber, since the two properties do not have the same name . ??? please expand
# ??? is is also unclear how SSSD manages non-POSIX applications, especially the persistance of any translated values ??? please expand
# ??? Also unclear: does SSSD force POSIX translation, or just proxies the connection ???
#
# For more information, see sssd-ifp(5)
#
# All authorization domain properties can be inherited into an application
# domain. That is done via the inherit_from application domain parameter:
#
# inherit_from (string)
#
# The SSSD authorization domain the application domain inherits all
# settings from. The system administrator can further configure additional
# application domain properties to the application domain. Any application
# domain properties provided will either augment or override the parent
# domain properties.
#
# Default: Not set
#
# References:
# [1] D-Bus: https://www.freedesktop.org/wiki/Software/dbus/
# [2] POSIX standard: https://posix.opengroup.org/docs/base-2003.html
# https://posix.opengroup.org/docs/base-2016.html
# TRUSTED DOMAINS
#
# A trusted domain is an Active Directory domain that establishes trust
# relationships with other AD domains, allowing users in one domain to
# access resources in another. It is Microsoft Windows Server terminology
# and has been a technology available ever since Windows Server ??? 2006 ???.
# Speciffically, an Active Directory forest is the highest-level logical
# container in an Active Directory setup, housing domains, users, computers
# and group policies[1]. SSSD, allows allows you to replicate that behavior
# of Microsoft Server, so that a sysadmin can offer similar authentication
# and authorization services under Linux. Active Directory is LDAP, Kerberos
# and SMB/CIFS combined. In Linux SSSD brings all those protocols together.
# Lets go through an example:
#
# Let us assume you are the system administrator in charge of a media
# company that owns multiple media outlets. Each media outlet is distinct
# but the IT storage is shared between multiple editors and journalists
# in each individual media outlet. Let us name the media company Linux Tech Tips.
# The media outlets under that company are named idropthings.foo and
# destroyhardware.bar. As a system administrator, you can define a
# domain and the individual trusted domains in SSSD for such a media company
# this way:
#
# [domain/linuxtechtips.bom]
# property1 = text1
# property2 = text2
# ...
#
# [domain/linuxtechtips.bom/idropthings.foo]
# property1_for_this_trusted_domain_only = text1
# property2_for_this_trusted_domain_only = text2
# ...
#
# [domain/linuxtechtips.bom/destroyhardware.bar]
# property1_for_this_trusted_domain_only = text1
# property2_for_this_trusted_domain_only = text2
# ...
#
# Most of the options in [domain/linuxtechtips.com] are inherited both
# by [domain/linuxtechtips.bom/idropthings.foo] and by
# [domain/linuxtechtips.bom/destroyhardware.bar] .
# There are options, though, which can be used only in a trusted domain.
# Specifically, those are:
#
# * ldap_search_base
# * ldap_user_search_base
# * ldap_group_search_base
# * ldap_netgroup_search_base
# * ldap_service_search_base
# * ldap_sasl_mech
# * ad_server
# * ad_backup_server
# * ad_site
# * use_fully_qualified_names
# * pam_gssapi_services
# * pam_gssapi_check_upn
#
# There are
#
# For more details about these options see their individual description in this manual page.
#
# [1] For more information: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/using-the-organizational-domain-forest-model
#
# ??? There needs to be more fleshing out how each trusted domain interacts with each other: do they just inherit properties or can you map the property of one trusted domain to another? ???
# ??? Also, more fleshing out needs to happen about inheritance ???
# ??? Also, all the above mentioned properties: are they specifically used in trusted domains or they are those properties which are explicitelly inherrited from the top/forest/base(?) domain? ???
# [certificate mapping]
# each section can have a 'description' variable
# description = "The Certificate Mapping SSSD daemon configuration section"
# SSSD can be configured to allow authentication with smartcards and SSL/PEM
# certificates. In order to use such means of authentication, SSSD must be
# able to map either type of certificate (card, SSL) to a user. This is done
# in two ways:
# 1. Embed the full certificate in the LDAP object of the user
# ??? which attribute, specifically ??? ??? How does SSSD know which attribute to look up???
# 2. Direct SSSD to a certificate on disk or ??? other means ??? ( local override )
#
# When using smartcard authentication, one must use the full certificate. ??? what full certificate? please expand ???
# ??? is there a reason the 'S' in smartcard is capitalized ???
# ??? sss_ssh_authorizedkeys(8) does not exist ???
# ??? how sss_ssh_authorizedkeys(1) has anything to do with certs?
# please expand ???
# When using PAM for authentication, using a certificate might be
# cumbersome or not even possible. ??? How? Why is it mentioned here? what is the relevancy? ???
# ??? if such an ability is given, give reference(s) to relevant guides ???
#
# SSSD provides matching rules to map certificates to their respective
# users. This is done by creating a section
# [certmap/DOMAIN_NAME/RULE_NAME]
# In the case of our example media company, this would be
# [certmap/linuxtechtips.bom/fido_key_for_pod_bay_doors] ,
# given that a FIDO hardware key was required to access the pod bay doors.
#
# ??? What is the order of precedence? must the domain be declared before such a rule ???
# ??? Must the domain be joined for the rule to be applicable? what happens when we join and then leave the domain? is there a relevant error ???
#
# The "files" provider has some built-in special properties:
#
# * If maprule is not set for the specific rule, SSSD assigns the name
# of the matching user to maprule as RULE_NAME
# * If a maprule is used both ??? a single user name or a template like
# "{subject_rfc822_name.short_name}" must be in braces. Example:
# "(username)" or "({subject_rfc822_name.short_name})"
# ??? this makes no sense, please expand. Do you mean the maprule value matches both the username and the template name? ???
# ??? why is subject_rfc822_name mentioned here? what is short_name ? why does (username) have no braces? please expand ???
# * The file provider ignores the value of the "domains" option ??? How does that help? what are the side effects? ???
#
# To get an idea of the use cases for certificate matching, please take a
# look at the relevant design document "Matching and Mapping certificates"
# at https://sssd.io/design-pages/matching_and_mapping_certificates.html
#
# ??? Rules can be inherited and prioritized over other rules. For an example of how rules are
# inheritted and priotirized, please see Example sub-section C in the EXAMPLES section ???
#
# SSSD certiticate matching sections utilize the following options to
# facilitate matching:
# ??? can these properties be used more than once per section? or one rule per user? ???
# Process only the certificates in the smartcard which match this
# rule(???s???) . All other certificates are ignored.
# Default: KRB5:clientAuth : Process only certificates which have the
# Extended Key Usage (EKU) "clientAuth"
#
#
## matchrule =
# Tell SSSD how to match each user with each certificate. Providers
# supported are either LDAP-based providers (ldap, AD or IPA) or the
# files provider.
#
# For the LDAP-based providers, SSSD searches the provider for a specific
# LDAP value. For the files provider, SSSD searches the disk? path? section?
# for RULE_NAME to match the provided certificate with the user. ??? is this correct ???
#
# Default:
#
# * LDAP:(userCertificate;binary={cert!bin}) for the LDAP-based providers
# * The RULE_NAME for the "files" provider which tries to find a user with the same name.
# ??? "which tries to find a user with the same name" this needs expanding ???
#
## maprule =
# Comma separated list of domain names the rule should be applied for.
# By default, a rule is only valid in the ??? domain | is this supposed to be singular? ??? configured in sssd.conf.
# If the provider supports subdomains, this option is inherited to all subdomains, trusted and otherwise ??? check validity of statement ???.
#
# Default: the configured domain in [sssd], contained in the domains property value
## domains =
# Define rule priority ??? over other rules ???, by assigning an
# unsigned integer value. Priority is given to the rule with the smallest
# value: The higher the number, the lower the priority. "0" stands for the
# highest priority while "4294967295" ( MAX_UINT ) is the lowest.
# ??? kind of counter-intuitive, but ok ???
#
# Default: the lowest priority ??? expand please: ???
# ??? what happens if sysadmin gives two rules the same priority ???
# ??? what happens if sysadmin forgets to assign a rule priority ???
# priority =
# [prompting configuration]
# each section can have a 'description' variable
# description = "The section where we tell the SSSD daemon how to prompt users for authentication"
# You can configure the prompt SSSD presents to the user, both for a password
# prompt and for a two-factor authentication (2FA) prompt. ??? That way you
# can insert unique signatures in your prompt ??? What is the reason to do so?
#
# To configure the prompt for each type of authenentication, you have to set
# either [prompting/password] or [prompting/2fa] . Each section supports
# the following options:
#
# [prompting/password]
# # Configure the prompt shown ??? to who? how? ??
# password_prompt =
#
# [prompting/2fa]
# # Change the string of the prompt for the first factor ??? what does that look like to the user? who does the prompting? ???
# first_prompt =
# # Change the string of the prompt for the second factor ??? what does that look like to the user? who does the prompting? ???
# second_prompt =
# # Enable or disable a single, unified prompt for both the first and the
# # second factor. If set to True, there will be only a single prompt.
# # That prompt will use the value of first_prompt. The user is
# # expected to enter both factors as a single string.
# ??? EXAMPLE: How will the user do that? What will it look like to the user? how does the user seperate the password from the 2FA token? ???
# single_prompt =
#
# ??? Please note that both factors have to be entered here, even if the second factor is optional. ??? in the boolean value? please expand ???
# ??? If the second factor is optional and it should be possible to log in either only with the password or with both factors two-step prompting has to be used. ??? unclear. Rephrased below, please check validity: ???
# NOTE: When utilizing 2FA, [prompting/2fa].first_prompt and
# [prompting/2fa].second_prompt have to be set, regardless
# if the second factor is optional or not.
#
# The sysadmin can further granulize 2FA prompting use to services, by
# adding a subsection with 2FA prompting as
# [prompting/password/PAM_SERVICE_NAME]
# For example:
# [prompting/password/sshd]
# password_prompt = "Password prompting for the SSH daemon"
#
# ??? Check validity: This will change the password prompt for the SSH
# daemon from the PAM prompt "Password:" to
# "Password prompting for the SSH daemon" ???
#
# All services listed under /etc/pam.d/ are valid values.
#
# > If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists SSSD's PAM module pam_sss will ask SSSD to figure out which authentication methods are available for the user trying to log in. Based on the results pam_sss will prompt the user for appropriate credentials.
# I have no clue how to fit this in here and if it should even be here. Please help.
# [EXAMPLES]
# each section can have a 'description' variable
# description = "The example configuration section"
# In this section we will illustrate examples of various SSSD configurations
# using the built-in SSSD mechanisms and services. Specifically we have:
#
# A. Typical configurations
# Typical configurations include the minimal needed properties to allow
# users in a centrally-managed infastructure to log into the computer the
# SSSD daemon is running on.+
# 1. A typical SSSD configuration using the LDAP provider
# 2. A typical SSSD configuration using the AD provider
# If set to True, all requests to this domain must use fully qualified
# names. For example, if used in LOCAL domain that contains a "test" user,
# getent passwd test would not find the user while getent passwd test@LOCAL
# would.
# ----------------------------------------------------------------------
# Example:
# subdomain_inherit = ldap_search_timeout,ldap_network_timeout,
# ldap_opt_timeout,ldap_offline_timeout,ldap_enumeration_refresh_timeout,
# ldap_enumeration_refresh_offset,ldap_purge_cache_timeout,
# ldap_purge_cache_offset,ldap_krb5_keytab,ldap_krb5_ticket_lifetime,
# ldap_enumeration_search_timeout,ldap_connection_expire_timeout,
# ldap_connection_expire_offset,ldap_connection_idle_timeout,
# ldap_use_tokengroups,ldap_user_principal,ignore_group_members,
# auto_private_groups,case_sensitive
# ----------------------------------------------------------------------
# The following configuration example allows local users to authenticate
# locally using any enabled method (i.e. smartcard, passkey).
#
# [domain/shadowutils]
# id_provider = proxy
# proxy_lib_name = files
# auth_provider = none
# local_auth_policy = only
# ----------------------------------------------------------------------
# The value of auto_private_groups can either be set per subdomains in a
# seperate subsection, for example:
#
# [domain/forest.domain/sub.domain]
# auto_private_groups = false
#
# or globally for all subdomains in the main forest domain section using
# the subdomain_inherit option:
#
# [domain/forest.domain]
# subdomain_inherit = auto_private_groups
# auto_private_groups = false
# ----------------------------------------------------------------------
# ??? fleshing out, maybe example? ???
# Default: Not set by default.
# proxy_pam_target =
# ----------------------------------------------------------------------
# searched for in the library are in the form of
# _nss_$(libName)_$(function). For example, _nss_files_getpwent .
# proxy_lib_name =
# proxy_resolver_lib_name =
# ----------------------------------------------------------------------
#
# 3. A typical SSSD configuration using the Kerberos provider
# 4. A typical SSSD configuration using the IPA provider
# 5. A typical SSSD configuration using the files provider
#
# B. Extended configurations
# 1. An extended SSSD configuration using the LDAP provider
# 2. A typical SSSD configuration using the AD provider
# 3. An extended SSSD configuration using the Kerberos provider
# Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
# Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default
# list
# pam_response_filter = ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
# 4. An extended SSSD configuration using the IPA provider
# 5. An extended SSSD configuration using the files provider
#
# C. Configurations with inheritance
# 1. SSSD configuration using the LDAP provider
# 2. SSSD configuration using the AD provider
# 3. SSSD configuration using the Kerberos provider
# 4. SSSD configuration using the IPA provider
# 5. SSSD configuration using the files provider
#
# D. Configurations using services
# Example:
## # pam_p11_allowed_services = +my_pam_service, -login
# This allows a custom PAM service name ("my_pam_service") and disables
# ----------------------------------------------------------------------
# # Example:
# p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
# or
# p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
# ----------------------------------------------------------------------
# Example:
# pam_gssapi_services = sudo, sudo-i
# ----------------------------------------------------------------------
# Example: Require access to SUDO services only for users which
# obtained their Kerberos tickets with a X.509 certificate
# pre-authentication (PKINIT)
# pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
# ----------------------------------------------------------------------
#
# 1. SSSD services configuration using the LDAP provider
# 2. SSSD services configuration using the AD provider
# 3. SSSD services configuration using the Kerberos provider
# 4. SSSD services configuration using the IPA provider
# The typical example is a FreeIPA domain where 'ldap_user_principal'
# is set to a not existing attribute name.
# 5. SSSD services configuration using the files provider
#
# E. Configuration using Application domains
# 1. SSSD configuration using the LDAP provider
# [sssd]
# description = "Partial, relevant SSSD configuration"
# domains = appdom, posixdom
#
# [ifp]
# description = "sssd-ipf(5) is the Linux D-Bus provider"
# user_attributes = +phone
#
# [domain/posixdom]
# description = "definition and properties for domain posixdom. This domain uses POSIX attributes such as uid, gid and extended groups the user may be part of"
# id_provider = ldap
# ldap_uri = ldap://ldap.example.com
# ldap_search_base = dc=example,dc=com
#
# [application/appdom]
# description = "definition of the application domain appdom. This appilcation domain inherits the properties of the posixdom domain via the inherit_from property"
# inherit_from = posixdom
# ldap_user_extra_attrs = phone:telephoneNumber
# ----------------------------------------------------------------------
#
# 2. SSSD configuration using the AD provider
# 3. SSSD configuration using the Kerberos provider
# 4. SSSD configuration using the IPA provider
# 5. SSSD configuration using the files provider
#
# F. Configurations with Trusted Domains
# 1. SSSD Trusted Domains configuration using the LDAP provider
# 2. SSSD Trusted Domains configuration using the AD provider
# 3. SSSD Trusted Domains configuration using the Kerberos provider
# 4. SSSD Trusted Domains configuration using the IPA provider
# 5. SSSD Trusted Domains configuration using the files provider
#
# G. Configurations with Certificate Mapping
# 0. Small Introduction
# Further resources
# 1. SSSD Trusted Domains configuration using the LDAP provider
# 2. SSSD Trusted Domains configuration using the AD provider
# 3. SSSD Trusted Domains configuration using the Kerberos provider
# 4. SSSD Trusted Domains configuration using the IPA provider
# 5. SSSD Trusted Domains configuration using the files provider
#
# H. Configurations with 2FA and multi-factor authentication
# 0. Small Introduction
# Further resources
# 1. SSSD 2FA configuration using the LDAP provider
# 2. SSSD 2FA configuration using the AD provider
# 3. SSSD 2FA configuration using the Kerberos provider
# 4. SSSD 2FA configuration using the IPA provider
# 5. SSSD 2FA configuration using the files provider
#
#
# ----------------------------------------------------------------------
#
# A.1: A typical SSSD configuration using the LDAP provider
#
# The following example shows a typical SSSD config using the LDAP
# provider.
#
# [sssd]
# domains = LDAP
# services = nss, pam
# config_file_version = 2
#
# [nss]
# filter_groups = root
# filter_users = root
#
# [pam]
#
# [domain/LDAP]
# id_provider = ldap
# ldap_uri = ldap://ldap.example.com
# ldap_search_base = dc=example,dc=com
# auth_provider = krb5
# krb5_server = kerberos.example.com
# krb5_realm = EXAMPLE.COM
# cache_credentials = true
# enumerate = False
# min_id = 10000
# max_id = 20000
#
# In [sssd], we define a domain called LDAP, which has two services.
# We also explicitelly set the version of the config file ??? because why ??? .
#
# In the [nss] section we filter the root user and the root group, so they \# will not be able to log in. The [pam] section has no properties ??? why not ??? \# \# In the domain [domain/LDAP], we tell SSSD that it will be using the \# LDAP provider to ??? authenticate ??? users. We set the LDAP URI and \# give the string where the search base will take place. For authorization \# to sign into LDAP, we use a Kerberos token, hence the definition of a \# Kerberos server and a Kerberos realm. We instruct SSSD to cache any \# credentials it comes by and we tell it to not pre-enumerate all the \# object IDs in LDAP. Setting enumerate to True will certainly make the \# later access faster, but it will take a long time to go through the \# entire LDAP catalogue, especially since searching in LDAP is O(n) \# Lastly, we set the minimum and maximum user ID, 10000 and 20000, \# respectivelly. \# \# ??? What happens if we need to lower the value of min_id? ??? \# ??? What happens if we need to increase the value of max_id? ??? \# ??? Do we need to do some user renumbering? \# \# ---------------------------------------------------------------------- \# \# F.4: SSSD Trusted Domains configuration using the IPA provider \# In this example we have an AD forest in order to demonstrate a \# parent-child relationship. The forest consists of two domains, \# ipa.comandad.com.ad.comhas a DNS subdomain,child.ad.com\# \# We want to use short domain names to save time inchild.ad.com` ??? to save time typing ???
#
# [domain/ipa.com/child.ad.com]
# use_fully_qualified_names = false
#
# ??? This example needs expansion, along with all inherited and trusted domains.
# ??? The following example shows configuration of IPA AD trust ??? not clear, please explain
#
#
# G.0: Configurations with Certificate Mapping
# The following example shows the configuration of a certificate mapping
# rule. The rule is valid for the configured domain "my.domain" and for
# the subdomains "your.domain". It uses the certificate from LDAP in
# the search filter ??? which causes what ???
#
#
# [certmap/my.domain/rule_name]
# matchrule = ^CN=My-CA,DC=MY,DC=DOMAIN$
# maprule = (userCertificate;binary={cert!bin})
# domains = my.domain, your.domain
# priority = 10
#
# ??? we need a second rule here to show priority. Please help me write a second one ???
# ----------------------------------------------------------------------
# SEE ALSO
#
# ??? maybe expand here what each man page contains? one line per man page ????
#
# sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5),
# sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5),
# sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
# sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
# sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
[domain/mydomain.on]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = False
krb5_realm = MYDOMAIN.ON
realmd_tags = manages-system joined-with-adcli
fallback_homedir = /data/posit/home/%u
ad_domain = mydomain.on
ldap_id_mapping = True
#ad_gpo_map_service = +rstudio
Not sure I understand what the problem is but, may this be related to #7449 ?
it's not a problem per say, but the default sssd distribution does not involve an example sssd.conf, which, I, as a sysadmin, can go through and read and get a quick-ish understanding what is going on and how to configure a domain, before I dive into the man page.
This goes with my other submissions re: man pages (see tag man-pages): I said that I would come back and we could discuss all the proposed changes after I read through man(5) sssd.conf , which I did and god it was a headache. I also said that I would submit a sample sssd.conf which could be adapted to distribute, so fellow sysadmins can decide at the beginning if they should go through all 1500 lines or hit the man page. Imho, a UI (text or graphical) would help mitigate a lot of of headaches for first time users that want extensive configuration.
Edit: also there are things that need to be discussed in this one, too, with dups, maybe, marked with ??? ????
tl;dr: sample sssd.conf missing, submitted the one I made.