SSSD.CONF(5) NAME sssd.conf - SSSD ini, . . , : [] = 2 = 2,3 : ( ), ( : "TRUE/FALSE"). <<>> ("#") (";"). . description. . sssd.conf must be a regular file that is accessible only by the user used to run SSSD service or root. sssd.conf conf.d. conf.d , ".conf" ("."), SSSD sssd.conf. conf.d , sssd.conf. , sssd.conf. conf.d , ( ). , . (01_snippet.conf, 02_snippet.conf ) ( , ). , sssd.conf. . , debug_level ( ) SSSD . 0 9, . () . , SSSD . , "debug_level" "[sssd]" sssd, . "debug_level" , . "debug_level" ( , SSSD), << >>, sss_debuglevel(8). : 0, 0x0010: . , SSSD . 1, 0x0020: . , SSSD, , . 2, 0x0040: . , . 3, 0x0080: . , 2- ( ). 4, 0x0100: . 5, 0x0200: . 6, 0x0400: . 7, 0x1000: . 8, 0x2000: , . 9, 0x4000: . 9, 0x20000: . , , - , , . 10, 0x10000: libldb . . , , , : : 0x0270, , , . : 0x1310, , , , . : 1.7.0. : 0x0070 ( , ; <<2>> ) debug ( ) SSSD 1.14 debug_level debug. , debug_level. debug_timestamps ( ) . SSSD journald, . : true debug_microseconds ( ) . SSSD journald, . : false debug_backtrace_enabled ( ) . SSSD debug_level, 9, `min(0x0040, debug_level)` ( debug_level 0 1, ; -- 2). `logger == files` ( ). : true , SERVICE DOMAIN timeout ( ) - . , , . : . : 10 [sssd] SSSD SSSD, SSSD. , "". (, ) "[sssd]". services , sssd. , systemd, D-Bus. : nss, pam, ifp , sudo , autofs , ssh , pac . : <>. domains -- , . SSSD , -- SSSD . , . - ASCII, , . <> . re_expression () , , , . . ID . << >>. full_name_format () printf(3) , . : %1$s %2$s , SSSD. %3$s . Active Directory, , IPA. . << >>. monitor_resolv_conf ( ) , SSSD resolv.conf , DNS. : true try_inotify ( ) SSSD inotify . inotify, . inotify. <> : true , inotify. False . : , inotify. . krb5_rcache_dir () , SSSD Kerberos. __LIBKRB5_DEFAULTS__, SSSD libkrb5 . : . (__LIBKRB5_DEFAULTS__, ) default_domain_suffix () Please note that this option is deprecated and domain_resolution_order should be used. . , , . , . Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. user@domain.name, to log in. Setting this option changes default of use_fully_qualified_names to True. It is not allowed to use this option together with use_fully_qualified_names set to False. : override_space () ( <<>>) , <<_>>. "john doe" "john_doe". , - , . , , , . , SSSD , . : ( ) certificate_verification () . : no_ocsp OCSP. , OCSP . soft_ocsp OCSP , OCSP . , , OCSP. ocsp_dgst (), ID OCSP. : o sha1 o sha256 o sha384 o sha512 : sha1 ( , RFC5019) no_verification . . partial_chain , , , , . ocsp_default_responder=URL OCSP, , . URL URL- OCSP, : http://example.com:80/ocsp. ocsp_default_responder_signing_cert=NAME . PEM, pam_cert_db_path. crl_file=////CRL (CRL) . CRL PEM. : crl(1ssl). soft_crl (CRL) , CRL . , , CRL. , . : , disable_netlink ( ) SSSD netlink ,, . SSSD, netlink, . , <> : false ( netlink ) domain_resolution_order , . , , "domains". , "lookup_order", . Please, note that when this option is set the output format of all commands is always fully-qualified even when using short names for input. In case the administrator wants the output not fully-qualified, the full_name_format option can be used as shown below: "full_name_format=%1$s" However, keep in mind that during login, login applications often canonicalize the username by calling getpwnam(3) which, if a shortname is returned for a qualified input (while trying to reach a user which exists in multiple domains) might re-route the login attempt into the domain which uses shortnames, making this workaround totally not recommended in cases where usernames may overlap between domains. : implicit_pac_responder ( ) PAC IPA AD PAC. , <>. : true core_dumpable ( ) This option can be used for general system hardening: setting it to 'false' forbids core dumps for all SSSD processes to avoid leaking plain text passwords. See man page prctl:PR_SET_DUMPABLE on Linux or procctl:PROC_TRACE_CTL on FreeBSD for details. Take a note that this setting has no effect for 'ldap_child', 'krb5_child' and 'sssd_pam' as those privileged binaries can have a copy of a host keytab data in a memory and their behavior in this regards is governed by /proc/sys/fs/suid_dumpable system setting. : true passkey_verification () . : user_verification ( ) (, PIN-, ) . , PIN- . . IPA Kerberos . , . [$NAME]. , NSS "[nss]" . fd_limit , SSSD. , SSSD CAP_SYS_RESOURCE, . <> limits.conf. : 8192 ( <> limits.conf) client_idle_timeout , SSSD . . 10 . , 10 . : 60, KCM: 300 offline_timeout ( ) SSSD , , . SSSD . , . : new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0...offline_timeout_random_offset] offline_timeout 60. offline_timeout_max -- 3600. offline_timeout_random_offset -- 30. . , offline_timeout_max ( ). : 60 offline_timeout_max ( ) , . <<0>> . offline_timeout. offline_timeout <<60>> ( ), offlinet_timeout_max 120, . : offline_timeout_max 4 offline_timeout. , 0 offline_timeout, offline_timeout, . : 3600 offline_timeout_random_offset ( ) SSSD , : new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0...offline_timeout_random_offset] , . random_offset , : [0 - offline_timeout_random_offset] <<0>> . : 30 responder_idle_timeout , SSSD . . : 60 . <<0>> () , -. , SSSD systemd D-Bus. : 300 cache_first , . : true NSS (NSS). enum_cache_timeout ( ) ( ) nss_sss : 120 entry_cache_nowait_percentage ( ) , , entry_cache_timeout . , entry_cache_timeout <<30s>> (), entry_cache_nowait_percentage <<50>> (), , 15 , , SSSD , . 0-99 entry_cache_timeout . , - nowait , 10 . <<0>> . : 50 entry_negative_timeout ( ) , nss_sss ( , , ) . : 15 filter_users, filter_groups () NSS sss. . , - (UPN). : filter_groups , NSS. , , , . : root filter_users_in_groups ( ) , <>. : true override_homedir () . , . : %u %U UID %d %f (user@domain) %l . %P UPN -- - (name@REALM) %o The homedir value that is defined in the directory of the identity provider. This substitution is designed to be used in an IPA-AD trust scenario. If this substitution is used for the subdomain_homedir option, it propagates the home directory value from the AD domain to the IPA clients. In this scenario, the option must be set in the SSSD configuration on the IPA server where SSSD is running in server mode. %h The path defined for the homedir directory attribute of the identity provider, but in lower case. For details of use, see %o. %H homedir_substring. %% <<%>> . : override_homedir = /home/%u : (SSSD , LDAP) , , (. sss_override(8)) IPA, , override_homedir. homedir_substring () override_homedir, %H. LDAP , ( ). [nss]. , , , [nss]. : /home fallback_homedir () , . override_homedir. : fallback_homedir = /home/%u : ( ) override_shell () . , . [nss], . : (SSSD , LDAP) allowed_shells () . : 1. "/etc/shells", . 2. allowed_shells, "/etc/shells", shell_fallback. 3. allowed_shells "/etc/shells", , . , (*). (*) , shell_fallback, "/etc/shells", allowed_shells . libc << >>. "/etc/shells" SSSD. , SSSD. : . . vetoed_shells () shell_fallback shell_fallback () , , . : /bin/sh default_shell , , . [nss] . : ( NULL, , libc , /bin/sh) get_domains_timeout ( ) , . : 60 memcache_timeout ( ) , . <<0>> . : 300 : SSSD. . : SSS_NSS_USE_MEMCACHE <>, . memcache_size_passwd ( ) ( ) , passwd. <<0>> passwd. : 8 : SSSD. : SSS_NSS_USE_MEMCACHE <>, . memcache_size_group ( ) ( ) , group. <<0>> group. : 6 : SSSD. : SSS_NSS_USE_MEMCACHE <>, . memcache_size_initgroups ( ) ( ) , . <<0>> . : 10 : SSSD. : SSS_NSS_USE_MEMCACHE <>, . memcache_size_sid ( ) ( ) , SID . SID--ID ID--SID. <<0>> SID . : 6 : SSSD. : SSS_NSS_USE_MEMCACHE <>, . user_attributes () NSS , POSIX, NSS. . , "user_attributes" InfoPipe (. sssd-ifp(5)), . NSS InfoPipe , NSS. : , InfoPipe pwfield () , NSS, , "password". : "*" : , [nss]. Default: "not set" (remote domains), "x" (proxy domain with nss_files and sssd-shadowutils target) PAM (PAM). offline_credentials_expiration ( ) , ( ). : 0 ( ) offline_failed_login_attempts ( ) , . : 0 ( ) offline_failed_login_delay ( ) , offline_failed_login_attempts, . <<0>>, offline_failed_login_attempts. , , . : 5 pam_verbosity ( ) , . , . sssd : 0: 1: 2: 3: : 1 pam_response_filter () , () , PAM PAM pam_sss. , pam_sss, (, , , , pam_sss). pam_verbosity, . : ENV . ENV:var_name var_name . ENV:var_name:service var_name . , , . <<+>> <<->>, , , . , <<+>> <<->> , . . : ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i : -ENV:KRB5CCNAME:sudo-i pam_id_timeout ( ) PAM, SSSD , SSSD , . PAM PAM ( , ). ( - ) ( ) , . : 5 pam_pwd_expiration_warning ( ) N . , . , sssd . , : , . , pwd_expiration_warning . : 0 get_domains_timeout ( ) , . : 60 pam_trusted_users () UID , PAM . , , , "pam_public_domains". UID . : , UID 0 PAM, pam_trusted_users. pam_public_domains () , . pam_public_domains : all ( PAM) none ( PAM) : none pam_account_expired_message () , << >>. : , SSH , pam_verbosity <<3>> ( ). : pam_account_expired_message = , . : none pam_account_locked_message () , << >>. : pam_account_locked_message = , . : none pam_passkey_auth ( ) . : true passkey_debug_libfido2 ( ) libfido2. : false pam_cert_auth ( ) -. -, , . : false pam_cert_db_path () . : o /etc/sssd/pki/sssd_auth_ca_db.pem ( CA PEM) pam_cert_verification () PAM . "certificate_verification" "[sssd]". , "certificate_verification". : pam_cert_verification = partial_chain : , "certificate_verification", "[sssd]". p11_child_timeout ( ) , pam_sss p11_child. : 10 passkey_child_timeout ( ) , PAM passkey_child. : 15 pam_app_services () , PAM "application" : pam_p11_allowed_services () PAM, -. PAM "+service_name". PAM "-service_name". , PAM - (, "login") PAM (, "my_pam_service"), : pam_p11_allowed_services = +my_pam_service, -login : PAM : o login o su o su-l o gdm-smartcard o gdm-password o kdm o sudo o sudo-i o gnome-screensaver p11_wait_for_card_timeout ( ) -, , ( p11_child_timeout) PAM -. : 60 p11_uri () URI PKCS#11 ( RFC-7512) -. p11_child SSSD PKCS#11 ( ) <> . , p11_uri p11_child . : p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2 URI, p11_child. <> GnuTLS, , <<--list-all>>: URI PKCS#11. : none pam_initgroups_scheme PAM , . , , : always ( , pam_id_timeout ) no_session , , never , , : no_session pam_gssapi_services PAM, GSSAPI pam_sss_gss.so. GSSAPI, "-" (). : , [pam]. , . : pam_gssapi_services = sudo, sudo-i : - ( GSSAPI ) pam_gssapi_check_upn <>, SSSD - Kerberos, GSSAPI, , . , . <>, , . : , [pam]. , . : true pam_gssapi_indicators_map , Kerberos PAM, GSSAPI pam_sss_gss.so. , "service:indicator". , PAM, PAM, pam_gssapi_services. PAM Kerberos pam_sss_gss.so. , , PAM. , . PAM , . GSSAPI, "-" (). PAM, "service:-". : , [pam]. , . IPA Kerberos : o pkinit -- X.509, -. o hardened -- SPAKE , FAST. o radius -- RADIUS. o otp -- (2FA , OTP) IPA. o idp -- . : SUDO , Kerberos X.509 (PKINIT), pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit : ( ) SUDO sudo. sudo(8) sssd(8) sssd-sudo(5). sudo_timed ( ) sudoNotBefore sudoNotAfter, sudoers. : false sudo_threshold ( ) , . , " ". , " ". sudo IPA. : 50 AUTOFS autofs. autofs_negative_timeout ( ) , autofs ( , , ) . : 15 , , - , autofs, sssd.conf, SSSD. SSH SSH. ssh_use_certificate_keys ( ) <>, sss_ssh_authorizedkeys SSH, X.509, . : sss_ssh_authorizedkeys(1). : true ssh_use_certificate_matching_rules () SSH , SSH , . . . <> <> , , . , ; , SSH . , <> , , . PAM , . . , . : , <>, ca_db () CA. SSH. : o /etc/sssd/pki/sssd_auth_ca_db.pem ( CA PEM) PAC PAC sssd_pac_plugin.so MIT Kerberos . PAC PAC GSSAPI. SID ID , , . PAC , : o , . UID SID, UPG, GID , UID. subdomain_homedir. , , default_shell. o SID SSSD , . PAC. allowed_uids () UID , PAC. UID . : 0, sssd ( PAC root SSSD) , . root / <> PAC ( ), UID. pac_lifetime ( ) PAC ( ). PAC , PAC . : 300 pac_check () , PAC Kerberos, Active Directory FreeIPA. , PAC Kerberos, krb5_validate <>, IPA AD. krb5_validate <>, PAC . : no_check PAC , , . pac_present PAC , SSSD TGT . PAC , . check_upn PAC , , (UPN) . check_upn_allow_missing 'check_upn' , UPN , SSSD. FreeIPA, 'ldap_user_principal' . . , FreeIPA , 'ldap_user_principal'. , . SSSD UPN PAC, SSSD. , , 'ldap_user_principal'. , 'check_upn' . upn_dns_info_present PAC UPN-DNS-INFO, 'check_upn'. check_upn_dns_info_ex PAC UPN-DNS-INFO, , . upn_dns_info_ex_present PAC UPN-DNS-INFO, 'check_upn_dns_info_ex', 'upn_dns_info_present' 'check_upn'. : no_check ( AD IPA -- 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex') tlog-rec-session(8), tlog, , . . sssd-session-recording(5). . scope () , : <> . <> , users groups. <> . : <> users () , . , NSS, , . : . . groups () , . , NSS, , . : ( ) , , . : . . exclude_users () , ; <>. : . . exclude_groups () , ; <>. : ( ) , , . : . . , "[domain/NAME]" enabled . "true", "". "false", "". , , , domains "[sssd]". domain_type () , , POSIX (, NSS), , POSIX. POSIX. : "posix" "application". POSIX . InfoPipe (. sssd-ifp(5)) PAM. : "id_provider=ldap". -POSIX " ". : posix min_id,max_id ( ) UID GID . , , . , GID. NSS, UID GID . , , . , . : 1 min_id, 0 ( ) max_id enumerate ( ) , , . , . : TRUE = FALSE = : FALSE , SSSD . id_provider = ldap id_provider = proxy. : , SSSD . SSSD. LDAP, - . , . , "sssd_be" . , . , , , -. man- (id_provider). , . : - , <> <>. nss, . entry_cache_timeout ( ) , nss_sss , . , - . sss_cache(8) , . : 5400 entry_cache_user_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_group_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_netgroup_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_service_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_resolver_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_sudo_timeout ( ) , sudo , : entry_cache_timeout entry_cache_autofs_timeout ( ) , autofs , : entry_cache_timeout entry_cache_ssh_host_timeout ( ) , SSH . , . : entry_cache_timeout entry_cache_computer_timeout ( ) , , : entry_cache_timeout refresh_expired_interval ( ) SSSD ( ) . , . , , ( , ). . 3/4 * entry_cache_timeout. , 2/3 . , , . , , . . , . : 0 () cache_credentials ( ) , LDB. , () , . , - , - . , , SHA512, - , ( ) . : FALSE cache_credentials_minimal_first_factor_length ( ) (2FA) , ( ), SHA512 . , PIN- PIN- 2FA . : 8 account_cache_expiration ( ) , , . <<0>> , . offline_credentials_expiration. : 0 ( ) pwd_expiration_warning ( ) N . , : , . , . , sssd . , . : 7 (Kerberos), 0 (LDAP) id_provider () , . ID: "proxy": NSS. "ldap": LDAP. LDAP: sssd-ldap(5). "ipa": FreeIPA Red Hat Identity Management. FreeIPA: sssd-ipa(5). "ad": Active Directory. Active Directory: sssd-ad(5). "idp": Provider for OAuth 2.0/OIDC based Identity Providers (IdP). See sssd-idp(5) for more information. use_fully_qualified_names ( ) ( , full_name_format ) , NSS. If set to TRUE, all requests to this domain must use fully qualified names. For example, if used in EXAMPLE domain that contains a "test" user, getent passwd test wouldn't find the user while getent passwd test@EXAMPLE would. : , . , . : FALSE (TRUE / default_domain_suffix) ignore_group_members ( ) . <>, LDAP, , getgrnam(3) getgrgid(3). , "getent group $groupname" , . ( , ). subdomain_inherit. : FALSE auth_provider () , . : "ldap" -- LDAP. LDAP: sssd-ldap(5). "krb5" -- Kerberos. Kerberos: sssd-krb5(5). "ipa": FreeIPA Red Hat Identity Management. FreeIPA: sssd-ipa(5). "ad": Active Directory. Active Directory: sssd-ad(5). "idp": Provider for OAuth 2.0/OIDC based authentication. See sssd- idp(5) for more information. "proxy" -- - PAM. "none" -- . : "id_provider", . access_provider () , . ( , ). : "permit" always allow access. "deny" -- . "ldap" -- LDAP. LDAP: sssd-ldap(5). "ipa": FreeIPA Red Hat Identity Management. FreeIPA: sssd-ipa(5). "ad": Active Directory. Active Directory: sssd-ad(5). "simple" -- . simple: sssd-simple(5). "krb5" -- .k5login. Kerberos: sssd-krb5(5). "proxy" -- PAM. : "permit" chpass_provider () , . : "ldap" -- , LDAP. LDAP: sssd-ldap(5). "krb5" -- Kerberos. Kerberos: sssd-krb5(5). "ipa": FreeIPA Red Hat Identity Management. FreeIPA: sssd-ipa(5). "ad": Active Directory. Active Directory: sssd-ad(5). "proxy" -- - PAM. "none" -- . : "auth_provider", . sudo_provider () SUDO, . SUDO: "ldap" -- , LDAP. LDAP: sssd-ldap(5). "ipa" -- , "ldap", IPA. "ad" -- , "ldap", AD. "none" -- SUDO. Default: The value of "id_provider" is used if it is set and can handle sudo requests. sudo_provider sssd-sudo(5). , . <> sssd-ldap(5). : sudo ( , SUDO ). sudo_provider = None SSSD sudo , SSSD sudo. selinux_provider () , SELinux. , . SELinux: "ipa" -- SELinux IPA. IPA: sssd-ipa(5). "none" -- SELinux. : "id_provider", SELinux. subdomains_provider () , . id_provider. : "ipa" -- IPA. IPA: sssd-ipa(5). "ad" -- Active Directory. AD: sssd-ad(5). "none" -- . Default: The value of "id_provider" is used if it is set and can handle subdomain requests. session_provider () , , , . , : Fleet Commander ( c IPA). : "ipa" -- , . "none" -- , . : "id_provider", , . autofs_provider () autofs, . autofs: "ldap" -- , LDAP. LDAP: sssd-ldap(5). "ipa" -- , IPA. IPA: sssd-ipa(5). "ad" -- , AD. AD: sssd-ad(5). "none" -- autofs. Default: The value of "id_provider" is used if it is set and can handle autofs requests. hostid_provider () , . hostid: "ipa" -- , IPA. IPA: sssd-ipa(5). "none" -- hostid. Default: The value of "id_provider" is used if it is set and can handle hostid requests. resolver_provider () , . : "proxy" -- NSS. . "proxy_resolver_lib_name" "ldap" -- , LDAP. LDAP: sssd-ldap(5). "ad" -- , AD. AD: sssd-ad(5). "none" -- . Default: The value of "id_provider" is used if it is set and can handle resolver requests. re_expression () , , , , . <> SSSD, ( IPA Active Directory) (NetBIOS) . : "^((?P.+)@(?P[^@]*)|(?P[^@]+))$" -- : o username o username@domain.name AD IPA: "^(((?P[^\\]+)\\(?P.+))|((?P.+)@(?P[^@]+))|((?P[^@\\]+)))$" -- : o username o username@domain.name o domain\username , Windows. re_expression "@" . "@" ( Windows). "@", re_expression. full_name_format () printf(3) , . : %1$s %2$s , SSSD. %3$s . Active Directory, , IPA. : "%1$s@%2$s". lookup_family_order () , DNS. : ipv4_first: IPv4, IPv6 ipv4_only: IPv4. ipv6_first: IPv6, IPv4 ipv6_only: IPv6. : ipv4_first dns_resolver_server_timeout ( ) ( ), SSSD DNS . AD CLDAP. " ". : 1000 dns_resolver_op_timeout ( ) ( ), DNS (, SRV) DNS. " ". : 3 dns_resolver_timeout ( ) ( ), , . , . " ". : 6 dns_resolver_use_search_list ( ) DNS , <> resolv.conf. DNS. SSSD ( _srv_), FALSE DNS . : TRUE dns_discovery_domain () , DNS. : failover_primary_timeout ( ) , SSSD . ( ) SSSD . : -- 31. : 31 override_gid ( ) GID . case_sensitive () . : True . AD. False . Preserving , <> ( ), NSS. , ( ) . IPA, , SSSD . subdomain_inherit. : True (False AD) subdomain_inherit () , . , . : ldap_search_timeout ldap_network_timeout ldap_opt_timeout ldap_offline_timeout ldap_purge_cache_timeout ldap_purge_cache_offset ldap_krb5_keytab ( krb5_keytab, ldap_krb5_keytab ) ldap_krb5_ticket_lifetime ldap_connection_expire_timeout ldap_connection_expire_offset ldap_connection_idle_timeout ldap_use_tokengroups ldap_user_principal ignore_group_members auto_private_groups case_sensitive : subdomain_inherit = ldap_purge_cache_timeout : none : IPA AD. subdomain_homedir () AD IPA. override_homedir. , subdomain_homedir. %F (NetBIOS) . override_homedir. : /home/%d/%u realmd_tags () , realmd . cached_auth_timeout ( ) , , SSSD . , SSSD . . . <<0>> , . : "cached_auth_timeout" "pam_id_timeout", "initgroups." : 0 local_auth_policy () . (, LDAP, -) , - PKINIT (AD, IPA), (IPA) . , . , . : match, only, enable. "match" Kerberos. "only" - . enable - . , "enable:passkey", . enable , , "enable:passkey, enable:smartcard" , , , , local_auth_policy: "match" +---------------------------------------------------------------------+ | local_auth_policy = match ( ) | +-----+-----------------------------+---------------------------------+ | | | - | +-----+-----------------------------+---------------------------------+ |IPA | enabled | enabled | +-----+-----------------------------+---------------------------------+ | AD | | enabled | +-----+-----------------------------+---------------------------------+ |LDAP | | | +-----+-----------------------------+---------------------------------+ : - - , - , . .., , PIN-. (, -, ). [domain/shadowutils] id_provider = proxy proxy_lib_name = files auth_provider = none local_auth_policy = only : match auto_private_groups () : true UID . GID . : GID UID, UID GID. , . false GID . GID LDAP. hybrid , UID GID , GID LDAP. , GID , GID . UID GID , GID ; GID . , , . For the LDAP based id providers (LDAP, IPA and AD) the default for the configured domain is typically False because the sources have the concept of a primary group. The IdP id provider is using True because IdPs typically do not have primary groups. , <> , POSIX, <> -- , . auto_private_groups , : [domain/forest.domain/sub.domain] auto_private_groups = false , subdomain_inherit: [domain/forest.domain] subdomain_inherit = auto_private_groups auto_private_groups = false , . proxy_pam_target () , PAM. : ; PAM . local_auth_policy. proxy_lib_name () NSS, . NSS, , _nss_$(libName)_$(function), : _nss_files_getpwent. proxy_resolver_lib_name () NSS, . NSS, , _nss_$(libName)_$(function), : _nss_dns_gethostbyname2_r. proxy_fast_alias ( ) , , . <> SSSD . : false proxy_max_children ( ) . SSSD , sssd , - . : 10 SSSD, D-Bus (. sssd-ifp(5)), LDAP, . , SSSD, POSIX, , SID Windows, POSIX. "[domain/NAME]" "[application/NAME]", "application", SSSD. : "domains"; POSIX. inherit_from () POSIX SSSD, . "" . : . POSIX LDAP NSS. , telephoneNumber, phone phone D-Bus. [sssd] domains = appdom, posixdom [ifp] user_attributes = +phone [domain/posixdom] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com [application/appdom] inherit_from = posixdom ldap_user_extra_attrs = phone:telephoneNumber , , , "[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]". DOMAIN_NAME -- , . . : ldap_search_base, ldap_user_search_base, ldap_group_search_base, ldap_netgroup_search_base, ldap_service_search_base, ldap_sasl_mech, ad_server, ad_backup_server, ad_site, use_fully_qualified_names pam_gssapi_services pam_gssapi_check_upn . - , SSSD . LDAP . - SSH (. sss_ssh_authorizedkeys(8)), , PAM . , SSSD (. sss-certmap(5)). SSSD "[certmap/DOMAIN_NAME/RULE_NAME]". : matchrule () -, . . : KRB5:clientAuth, , Extended Key Usage ( ) "clientAuth" maprule () . : o LDAP:(userCertificate;binary={cert!bin}) LDAP, "ldap", "AD" "ipa". o If maprule is not set and provider is "proxy", the RULE_NAME name is assumed to be the name of the matching user. domains () , . , sssd.conf. , . : sssd.conf priority ( ) , . , . "0" , "4294967295" -- . : (/var/lib/sss/pubconf/pam_preauth_available) , PAM SSSD pam_sss SSSD , , , . pam_sss . , , , pam_sss , . . : "[prompting/...]". : [prompting/password] : password_prompt [prompting/2fa] : first_prompt second_prompt single_prompt , <>, first_prompt. , . , , . , , , . , , SSH 'PasswordAuthentication yes', , SSSD PAM. , SSH PasswordAuthentication, , SSSD , , SSH, , . [prompting/passkey] : interactive , True, , . , . interactive_prompt . touch , True, . touch_prompt . PAM, "[prompting/password/sshd]"; . 1. SSSD. -- . [sssd] domains = LDAP services = nss, pam [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true min_id = 10000 max_id = 20000 enumerate = False 2. AD IPA, AD << -- >>. , IPA (ipa.com) AD (ad.com). ad.com (child.ad.com). , . [domain/ipa.com/child.ad.com] use_fully_qualified_names = false 3. . "my.domain", "your.domain", . [certmap/my.domain/rule_name] matchrule = ^CN=My-CA,DC=MY,DC=DOMAIN$ maprule = (userCertificate;binary={cert!bin}) domains = my.domain, your.domain priority = 10 . sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-idp(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(1), sss_ssh_knownhosts(1), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ SSSD 08/26/2025 SSSD.CONF(5)