SSSD.CONF(5) NAME sssd.conf - SSSD ini, . . , : [] = 2 = 2,3 ( ), ( -- "TRUE" "FALSE"). ("#") (";"). . description. . sssd.conf , root. root. sssd.conf conf.d. , SSSD libini 1.3.0 . - , conf.d, ".conf" ("."), sssd.conf SSSD. conf.d sssd.conf, sssd.conf, . conf.d , ( ). , , . (01_.conf, 02_.conf ) ( ). sssd.conf. root:root, -- 0600. , . , debug_level ( ) SSSD . 0-9. . ( ) . , , SSSD . , "debug_level" "[sssd]" sssd, . <> , . <>, , SSSD, sss_debuglevel(8). , : 0, 0x0010: . , SSSD . 1, 0x0020: . , SSSD, , . 2, 0x0040: . , . 3, 0x0080: . . 4, 0x0100: . 5, 0x0200: . 6, 0x0400: . 7, 0x1000: . 8, 0x2000: , . 9, 0x4000: . 9, 0x20000: ; , , , . 10, 0x10000: libldb . . , , : Example: , , , 0x0270. : , , , 0x1310. : 1.7.0. : 0x0070 ( , ; 2 ) debug ( ) SSSD 1.14 debug debug_level. , debug_level. debug_timestamps ( ) . SSSD journald, . : true debug_microseconds ( ) . SSSD journald, . : false debug_backtrace_enabled ( ) . SSSD debug_level 9, ' - `min(0x0040, debug_level)` ( debug_level 0 1, , , 2). `logger == files` (, ). : true SERVICE DOMAIN timeout ( ) . . , . : 10 [sssd] SSSD SSSD, SSSD. , <<>>. "[sssd]" , . config_file_version ( ) . SSSD 0.6.0 2. services , , sssd. ' , systemd, D-Bus. : nss, pam , sudo , autofs , ssh , pac , ifp . : "systemctl enable sssd-@service@.socket". reconnection_retries ( ) ' . : 3 domains -- , . SSSD . , SSSD . , . ASCII, , . <>. re_expression () , . . . . full_name_format () printf(3) , . : %1$s ' %2$s , SSSD. %3$s . Active Directory, ' IPA. . . monitor_resolv_conf ( ) , SSSD resolv.conf , DNS. : true try_inotify ( ) , SSSD inotify. inotify , resolv.conf ' . inotify. <>. : <> , inotify. <> . : , inotify . . krb5_rcache_dir () , SSSD Kerberos. __LIBKRB5_DEFAULTS__, SSSD libkrb5 . : . (__LIBKRB5_DEFAULTS__, ) default_domain_suffix () . , , () . . Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. user@domain.name, to log in. Setting this option changes default of use_fully_qualified_names to True. It is not allowed to use this option together with use_fully_qualified_names set to False. One exception from this rule are domains with "id_provider=files" that always try to match the behaviour of nss_files and therefore their output is not qualified even when the default_domain_suffix option is used. : not set override_space () , _. ' <> <>. , . , , -, , . -, SSSD , , , . : ( ) certificate_verification () , . : no_ocsp (Online Certificate Status Protocol OCSP). , OCSP, , . soft_ocsp ' OCSP, OCSP . , , , OCSP . ocsp_dgst (), OCSP. : o sha1 o sha256 o sha384 o sha512 : sha1 ( , RFC5019) no_verification . . partial_chain , ' , , . ocsp_default_responder=URL OCSP, . , http://example.com:80/ocsp. ocsp_default_responder_signing_cert= . PEM, pam_cert_db_path. crl_file=////CRL (CRL) . CRL PEM, . crl(1ssl), . soft_crl (CRL) , CRL . , , CRL . . : , disable_netlink ( ) SSSD netlink , , . SSSD, netlink, , <> : false ( netlink) enable_files_domain ( ) , SSSD "id_provider=files" . : false domain_resolution_order , , , . ' , , "domains". , "lookup_order", . Please, note that when this option is set the output format of all commands is always fully-qualified even when using short names for input , for all users but the ones managed by the files provider. In case the administrator wants the output not fully-qualified, the full_name_format option can be used as shown below: "full_name_format=%1$s" However, keep in mind that during login, login applications often canonicalize the username by calling getpwnam(3) which, if a shortname is returned for a qualified input (while trying to reach a user which exists in multiple domains) might re-route the login attempt into the domain which uses shortnames, making this workaround totally not recommended in cases where usernames may overlap between domains. : implicit_pac_responder ( ) PAC IPA AD PAC. , <>. : true core_dumpable ( ) : <> SSSD . . prctl:PR_SET_DUMPABLE, . : true , . [$NAME]. , NSS "[nss]" - . reconnection_retries ( ) ' . : 3 fd_limit , SSSD. , SSSD CAP_SYS_RESOURCE, . , "hard" limits.conf. : 8192 ( limits.conf "hard") client_idle_timeout , SSSD . , . 10 . , 10 . : 60, KCM: 300 offline_timeout ( ) SSSD , , , , , , '. , SSSD . . ' : new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0...offline_timeout_random_offset] offline_timeout 60. offline_timeout_max 3600. offline_timeout_random_offset 30. . , offline_timeout_max ( ). : 60 offline_timeout_max ( ) , ' '. 0 . offline_timeout. offline_timeout 60 ( ), offlinet_timeout_max , 120, . offline_timeout_max, offline_timeout. - 0 offline_timeout, offline_timeout, . : 3600 offline_timeout_random_offset ( ) SSSD , - : new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0...offline_timeout_random_offset] , . random_offset : [0 - offline_timeout_random_offset] 0 . : 30 responder_idle_timeout , SSSD . . 60 . 0 () , . , SSSD systemd D-Bus. : 300 cache_first , . : false NSS Name Service Switch (NSS ). enum_cache_timeout ( ) ( ) nss_sss : 120 entry_cache_nowait_percentage ( ) , entry_cache_timeout . , entry_cache_timeout 30s, entry_cache_nowait_percentage -- 50 ( ), , 15 , , SSSD , . 0-99. entry_cache_timeout . nowait , 10 . 0 . : 50 entry_negative_timeout ( ) , nss_sss ( , ) . : 15 local_negative_timeout ( ) , nss_sss , . 0 . : 14400 (4 ) filter_users, filter_groups () NSS sss. . (UPN). : filter_groups , NSS. , , , , . : root filter_users_in_groups ( ) , , <>. : true override_homedir () . . : %u ' %U UID %d %f ' (@) %l . %P UPN - User Principal Name ('@) %o , . %h , , . %H homedir_substring. %% (<<%>>) . : override_homedir = /home/%u : (SSSD , LDAP) , , , (. sss_override(8)) IPA, , , override_homedir. homedir_substring () override_homedir, %H. LDAP ' ( ). [nss]. , , , [nss]. : /home fallback_homedir () , . override_homedir. : fallback_homedir = /home/%u : ( ) override_shell () . - , . [nss] . : (SSSD , LDAP) allowed_shells () . : 1. "/etc/shells", . 2. allowed_shells, "/etc/shells", shell_fallback. 3. allowed_shells "/etc/shells", nologin. - (*). (*) , shell_fallback, <>, allowed_shells . libc. "/etc/shells" SSSD, SSSD. : . . vetoed_shells () shell_fallback shell_fallback () , , . : /bin/sh default_shell , , . [nss], . : ( NULL, libc , /bin/sh) get_domains_timeout ( ) , . : 60 memcache_timeout ( ) , . '. : 300 : ' SSSD, . : SSS_NSS_USE_MEMCACHE <>, fast '. memcache_size_passwd ( ) ( ) , ', passwd. 0 ' passwd. : 8 : ' SSSD. : SSS_NSS_USE_MEMCACHE <>, fast '. memcache_size_group ( ) ( ) , ', group. 0 ' group. : 6 : ' SSSD. : SSS_NSS_USE_MEMCACHE <>, fast '. memcache_size_initgroups ( ) ( ) , ', initgroups. 0 ' initgroups. : 10 : ' SSSD. : SSS_NSS_USE_MEMCACHE <>, fast '. memcache_size_sid ( ) ( ) , ', ' SID . ' SID--ID ID--SID. 0 ' SID. : 6 : ' SSSD. : SSS_NSS_USE_MEMCACHE <>, fast '. user_attributes () NSS , POSIX NSS. . , <> InfoPipe (. sssd- ifp(5), ), . NSS InfoPipe , NSS. : , InfoPipe pwfield () , NSS, , "password". : "*" : . [nss]. Default: "not set" (remote domains), "x" (the files domain), "x" (proxy domain with nss_files and sssd-shadowutils target) PAM Pluggable Authentication Module (PAM ). offline_credentials_expiration ( ) ' ( ). : 0 ( ) offline_failed_login_attempts ( ) ' . : 0 ( ) offline_failed_login_delay ( ) , offline_failed_login_attempts . 0, , offline_failed_login_attempts. . : 5 pam_verbosity ( ) , . , . sssd : 0: 1: 2: 3: : 1 pam_response_filter () , , () , PAM PAM pam_sss. , pam_sss, , , , pam_sss. pam_verbosity, . : ENV . ENV:_ _ . ENV:_: _ . , , <<+>> <<->>, , . , , <<+>> <<->>, . . : ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i : -ENV:KRB5CCNAME:sudo-i pam_id_timeout ( ) PAM SSSD SSSD , . PAM PAM, . ( -) ( ) . : 5 pam_pwd_expiration_warning ( ) . , , . , sssd . , , , . pwd_expiration_warning . : 0 get_domains_timeout ( ) , . : 60 pam_trusted_users () UID , PAM . , , , (public) "pam_public_domains". UID . : () , , UID 0 PAM, pam_trusted_users. pam_public_domains () , , . pam_public_domains: all ( PAM.) none ( PAM .) : none pam_account_expired_message () , << >> (<>). : , , SSH, pam_verbosity 3 ( ). : pam_account_expired_message = Account expired, please contact help desk. : none pam_account_locked_message () , << >> (<>). : pam_account_locked_message = Account locked, please contact help desk. : none pam_cert_auth ( ) . , , . : False pam_cert_db_path () . : o /etc/sssd/pki/sssd_auth_ca_db.pem ( PEM) pam_cert_verification () PAM , . "certificate_verification" "[sssd]". , "certificate_verification". : pam_cert_verification = partial_chain : , "certificate_verification", "[sssd]". p11_child_timeout ( ) , pam_sss p11_child. : 10 pam_app_services () , PAM ' "application" : pam_p11_allowed_services ( ) PAM, , . PAM <<+_>> PAM <<-_>>. , PAM (, <>) PAM (, <>), : pam_p11_allowed_services = +my_pam_service, -login : PAM : o login o su o su-l o gdm-smartcard o gdm-password o kdm o sudo o sudo-i o gnome-screensaver p11_wait_for_card_timeout ( ) ' , , p11_child_timeout, PAM . : 60 p11_uri () PKCS#11 ( RFC-7512), , . , p11_child SSSD PKCS#11 (), <> (<<>>) . ' ' , p11_uri p11_child , . : p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2 , p11_child. , GnuTLS p11tool, , --list-all, PKCS#11. : none pam_initgroups_scheme PAM , , . , . : always . , , pam_id_timeout no_session , , never , , : no_session pam_gssapi_services PAM, GSSAPI pam_sss_gss.so. GSSAPI, "-" (). : , [pam]. , . : pam_gssapi_services = sudo, sudo-i : - ( GSSAPI ) pam_gssapi_check_upn True, SSSD ' Kerberos, GSSAPI, , . , . False, , . : , [pam]. , . : True pam_gssapi_indicators_map PAM, GSSAPI pam_sss_gss.so, Kerberos . , ":". - PAM, pam_gssapi_services PAM. - PAM Kerberos pam_sss_gss.so. - , - PAM, . , . - PAM , . GSSAPI, "-" (). PAM, ":-". : , [pam]. , . IPA Kerberos : o pkinit -- X.509, . o hardened -- SPAKE - FAST. o radius -- RADIUS. o otp -- (2FA , OTP) IPA. o idp -- . : ' SUDO Kerberos X.509 (PKINIT), pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit : ( ) SUDO sudo. sudo(8) sssd(8) sssd- sudo(5). sudo_timed ( ) , sudoNotBefore sudoNotAfter, sudoers. : false sudo_threshold ( ) , . , "rules refresh". , "full refresh" sudo. sudo IPA . : 50 AUTOFS autofs. autofs_negative_timeout ( ) , autofs ( , ) . : 15 , , , ssd.conf - ' autofs , SSSD. SSH SSH. ssh_hash_known_hosts ( ) known_hosts. : false ssh_known_hosts_timeout ( ) , known_hosts . : 180 ssh_use_certificate_keys ( ) true, sss_ssh_authorizedkeys ssh, X.509, . sss_ssh_authorizedkeys(1). : true ssh_use_certificate_matching_rules () , SSH , SSH . ' , . . <> <>, , . , , ssh . , <> , , . , PAM, . , , . , . : , <> -- ca_db () CA. ssh. : o /etc/sssd/pki/sssd_auth_ca_db.pem ( PEM) PAC PAC sssd_pac_plugin.so MIT Kerberos . PAC PAC GSSAPI. SID ID , , . PAC , : o , . UID SID, UPG, gid , UID. subdomain_homedir. , , . default_shell. o SID , SSSD, . PAC. allowed_uids () UID , . PAC. UID . : 0 ( PAC (root)) , , UID 0, UID . (root) PAC, , UID 0. pac_lifetime ( ) PAC . PAC , PAC . : 300 pac_check () PAC Kerberos, Active Directory FreeIPA, . , , Kerberos, PAC, krb5_validate <>, IPA AD. krb5_validate <>, PAC . : no_check PAC , , . pac_present PAC , SSSD TGT . PAC , . check_upn PAC , , (UPN). check_upn_allow_missing <> , UPN , SSSD. FreeIPA, <> , . , . , , FreeIPA . <> . , . SSSD UPN PAC, SSSD. , , <>. , <> , . upn_dns_info_present PAC UPN-DNS-INFO; <>. check_upn_dns_info_ex PAC UPN-DNS-INFO, , . upn_dns_info_ex_present PAC UPN-DNS-INFO; <>, <> <>. : no_check ( AD IPA -- <>) ' tlog-rec-session(8), tlog, , . . sssd-session-recording(5). . scope () , : "none" . "some" , . "all" . : none users () , . , NSS, , . : . . groups () , . , NSS, , . : ( - ) , , . : . . exclude_users () , . <>. : . . exclude_groups () , . <>. : ( - ) , , . : . . , "[domain/]" enabled . "true", "". "false", "". , , "[sssd]". domain_type () , POSIX, NSS, , POSIX. ' POSIX. "posix" "application". POSIX . InfoPipe (. sssd- ifp(5)) PAM. : application "id_provider=ldap". -POSIX , , " ". : posix min_id,max_id ( ) UID GID . , , . GID. NSS, UID GID . , , . , . : 1 min_id, 0 ( ) max_id enumerate ( ) , , , , . , ' . : TRUE = FALSE = : FALSE SSSD . : SSSD . SSSD. LDAP, . , . "sssd_be" . , . , , , ' , . , (man) (id_provider). , ' . subdomain_enumerate () , () . : all none , , . : none entry_cache_timeout ( ) , nss_sss , ' . , . , , sss_cache(8). : 5400 entry_cache_user_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_group_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_netgroup_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_service_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_resolver_timeout ( ) , nss_sss , : entry_cache_timeout entry_cache_sudo_timeout ( ) , sudo , : entry_cache_timeout entry_cache_autofs_timeout ( ) , autofs , : entry_cache_timeout entry_cache_ssh_host_timeout ( ) , ssh . , . : entry_cache_timeout entry_cache_computer_timeout ( ) , ', : entry_cache_timeout refresh_expired_interval ( ) , SSSD , . , . , ( , ), , . . 3/4 * entry_cache_timeout. , 2/3 . , , . , , . . , . : 0 () cache_credentials ( ) Determines if user credentials are also cached in the local LDB cache. The cached credentials refer to passwords, which includes the first (long term) factor of two-factor authentication, not other authentication mechanisms. Passkey and Smartcard authentications are expected to work offline as long as a successful online authentication is recorded in the cache without additional configuration. Take a note that while credentials are stored as a salted SHA512 hash, this still potentially poses some security risk in case an attacker manages to get access to a cache file (normally requires privileged access) and to break a password using brute force attack. : FALSE cache_credentials_minimal_first_factor_length ( ) (2FA) , ( ), SHA512 . , PIN- PIN- 2FA , . : 8 account_cache_expiration ( ) , . 0 -- . offline_credentials_expiration. : 0 ( ) pwd_expiration_warning ( ) . , , , . , , . , sssd . . : 7 (Kerberos), 0 (LDAP) id_provider () , . : <>: NSS. "files": FILES. , SSSD, sssd-files(5). "ldap": LDAP. LDAP sssd-ldap(5). "ipa": FreeIPA and Red Hat Identity Management provider. See sssd- ipa(5) for more information on configuring FreeIPA. "ad": Active Directory. Active Directory sssd-ad(5). use_fully_qualified_names ( ) ' ( , full_name_format ) ' , NSS. TRUE, . , LOCAL, <> user, getent passwd test , getent passwd test@LOCAL . : . , , . : FALSE (TRUE default_domain_suffix) ignore_group_members ( ) . TRUE, LDAP , , getgrnam(3) getgrgid(3). , "getent group $groupname" , . , , . subdomain_inherit. : FALSE auth_provider () , . : "ldap" -- LDAP. LDAP sssd-ldap(5). "krb5" -- Kerberos. Kerberos sssd-krb5(). "ipa": FreeIPA and Red Hat Identity Management provider. See sssd- ipa(5) for more information on configuring FreeIPA. "ad": Active Directory. Active Directory sssd-ad(5). "proxy" -- PAM. "none" -- . : "id_provider", . access_provider () . ( ). : "permit" . . "deny" -- . "ldap" -- LDAP. LDAP sssd-ldap(5). "ipa": FreeIPA and Red Hat Identity Management provider. See sssd- ipa(5) for more information on configuring FreeIPA. "ad": Active Directory. Active Directory sssd-ad(5). "simple" -- . simple sssd-simple(5). "krb5" -- .k5login. Kerberos sssd-krb5(). "proxy" -- PAM. : "permit" chpass_provider () , . : "ldap" -- , LDAP. LDAP sssd-ldap(5). "krb5" -- Kerberos. Kerberos sssd-krb5(). "ipa": FreeIPA and Red Hat Identity Management provider. See sssd- ipa(5) for more information on configuring FreeIPA. "ad": Active Directory. Active Directory sssd-ad(5). "proxy" -- PAM. "none" -- . : <>, . sudo_provider () SUDO, . SUDO: "ldap" , LDAP. LDAP sssd- ldap(5). "ipa" -- , "ldap", IPA. "ad" -- , "ldap", AD. "none" SUDO. : "id_provider", . sudo_provider (man) sssd-sudo(5). , . <>" sssd-ldap(5). : sudo , sudo . sudo_provider = None, , ' sudo SSSD, sudo SSSD. selinux_provider () , SELinux. , . SELinux: "ipa" selinux IPA. IPA sssd-ipa(5). "none" SELinux. : "id_provider", SELinux. subdomains_provider () , . id_provider. : "ipa" IPA. IPA sssd-ipa(5). <>, Active Directory. . sssd-ad(5), AD. "none" . : "id_provider", . session_provider () , , ' , . Fleet Commander, IPA. : "ipa", ' . "none" -- ' . : "id_provider", ' . : , SSSD root, . autofs_provider () autofs, . autofs: "ldap" -- , LDAP. LDAP sssd- ldap(5). "ipa" -- , IPA. IPA sssd-ipa(). "ad" -- , AD. . sssd-ad(5), AD. "none" autofs . : "id_provider", . hostid_provider () , . hostid: "ipa" -- , IPA. IPA sssd-ipa(). "none" hostid . : "id_provider", . resolver_provider () , . : "proxy" NSS. . "proxy_resolver_lib_name" "ldap" -- , LDAP. LDAP sssd- ldap(5). "ad" -- , AD. . sssd-ad(5), AD. "none" . : "id_provider", . re_expression () , , ' . <<>> SSSD , IPA Active Directory, (NetBIOS) . Default: "^((?P.+)@(?P[^@]*)|(?P[^@]+))$" which allows two different styles for user names: o o @. Default for the AD and IPA provider: "^(((?P[^\\]+)\\(?P.+))|((?P.+)@(?P[^@]+))|((?P[^@\\]+)))$" which allows three different styles for user names: o o @. o \ , , Windows. The default re_expression uses the "@" character as a separator between the name and the domain. As a result of this setting the default does not accept the "@" character in short names (as it is allowed in Windows group names). If a user wishes to use short names with "@" they must create their own re_expression. full_name_format () printf(3) , . : %1$s ' %2$s , SSSD. %3$s . Active Directory, ' IPA. : "%1$s@%2$s". lookup_family_order () , DNS. : ipv4_first: IPv4, IPv6 ipv4_only: IPv4. ipv6_first: IPv6, IPv4 ipv6_only: IPv6. : ipv4_first dns_resolver_server_timeout ( ) ( ), SSSD DNS, DNS. AD - CLDAP. , "", ' , ' . : 1000 dns_resolver_op_timeout ( ) ( ) , DNS ( SRV), DNS. , "", ' , ' . : 3 dns_resolver_timeout ( ) ( ) , . , . , "", ' , ' . : 6 dns_resolver_use_search_list ( ) , ' DNS , <> resolv.conf. , DNS . SSSD ( _srv_), FALSE DNS . : TRUE dns_discovery_domain () , DNS. : '. override_gid ( ) GID . case_sensitive () . : True . AD. False . Preserving , False ( ), NSS. , ( ) . IPA, SSSD . subdomain_inherit. : True (False AD) subdomain_inherit () , . , , . : ldap_search_timeout ldap_network_timeout ldap_opt_timeout ldap_offline_timeout ldap_enumeration_refresh_timeout ldap_enumeration_refresh_offset ldap_purge_cache_timeout ldap_purge_cache_offset ldap_krb5_keytab ( krb5_keytab , ldap_krb5_keytab ) ldap_krb5_ticket_lifetime ldap_enumeration_search_timeout ldap_connection_expire_timeout ldap_connection_expire_offset ldap_connection_idle_timeout ldap_use_tokengroups ldap_user_principal ignore_group_members auto_private_groups case_sensitive : subdomain_inherit = ldap_purge_cache_timeout : none : IPA AD. subdomain_homedir () AD IPA. override_homedir. , subdomain_homedir. %F (NetBIOS) . override_homedir. : /home/%d/%u realmd_tags () , realmd . cached_auth_timeout ( ) , , SSSD << >>. , SSSD . . . 0 , . , , "cached_auth_timeout" "pam_id_timeout", "initgroups". : 0 local_auth_policy (string) Local authentication methods policy. Some backends (i.e. LDAP, proxy provider) only support a password based authentication, while others can handle PKINIT based Smartcard authentication (AD, IPA), two-factor authentication (IPA), or other methods against a central instance. By default in such cases authentication is only performed with the methods supported by the backend. There are three possible values for this option: match, only, enable. "match" is used to match offline and online states for Kerberos methods. "only" ignores the online methods and only offer the local ones. enable allows explicitly defining the methods for local authentication. As an example, "enable:passkey", only enables passkey for local authentication. Multiple enable values should be comma-separated, such as "enable:passkey, enable:smartcard" Please note that if local Smartcard authentication is enabled and a Smartcard is present, Smartcard authentication will be preferred over the authentication methods supported by the backend. I.e. there will be a PIN prompt instead of e.g. a password prompt. The following configuration example allows local users to authenticate locally using any enabled method (i.e. smartcard, passkey). [domain/shadowutils] id_provider = proxy proxy_lib_name = files auth_provider = none local_auth_policy = only It is expected that the "files" provider ignores the local_auth_policy option and supports Smartcard authentication by default. Default: match auto_private_groups () - : true UID . GID . : GID UID, UID GID . , . false GID . GID ' LDAP. hybrid , UID GID , , GID ' LDAP. , GID ' , GID ' . UID GID , GID , GID . , ' , . False , ' POSIX, True , ' . auto_private_groups , : [domain/forest.domain/sub.domain] auto_private_groups = false subdomain_inherit: [domain/forest.domain] subdomain_inherit = auto_private_groups auto_private_groups = false , . proxy_pam_target () ', - PAM. Default: not set by default, you have to take an existing pam configuration or create a new one and add the service name here. As an alternative you can enable local authentication with the local_auth_policy option. proxy_lib_name () NSS -. NSS _nss_$(_)_$(), _nss_files_getpwent. proxy_resolver_lib_name () NSS -. NSS _nss_$(_)_$(), _nss_dns_gethostbyname2_r. proxy_fast_alias ( ) <<>> , (). <> , SSSD , . : false proxy_max_children ( ) . SSSD, sssd , . : 10 (application) SSSD, D-Bus (. sssd-ifp(5)) LDAP, . , SSSD, POSIX, SID Windows, POSIX. "[domain/]" "[application/]", "application", SSSD. , , "domains", - POSIX . inherit_from () POSIX SSSD, . , , -"". : . POSIX ' LDAP, NSS. , telephoneNumber, phone phone D-Bus. [sssd] domains = appdom, posixdom [ifp] user_attributes = +phone [domain/posixdom] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com [application/appdom] inherit_from = posixdom ldap_user_extra_attrs = phone:telephoneNumber , , , , "[domain/_/__]". _ . . : ldap_search_base, ldap_user_search_base, ldap_group_search_base, ldap_netgroup_search_base, ldap_service_search_base, ldap_sasl_mech, ad_server, ad_backup_server, ad_site, use_fully_qualified_names pam_gssapi_services pam_gssapi_check_upn . , SSSD ' . ' LDAP . ' (. sss_ssh_authorizedkeys(8), ), , PAM. ' SSSD ' ( sss-certmap(5)). ' SSSD , "[certmap/_/_]". : matchrule () , . . : KRB5:clientAuth, , Extended Key Usage ( ) "clientAuth" maprule () . : o LDAP:(userCertificate;binary={cert!bin}) LDAP , "ldap", "AD" "ipa". o RULE_NAME "files", . domains () , . , , sssd.conf. , . : , sssd.conf priority ( ) ' , . , . "0" -- , "4294967295" -- . : , "files" : o maprule, , RULE_NAME o maprule , , "{_'_rfc822._}", , "()" "({_'_rfc822._})" o "domains" (/var/lib/sss/pubconf/pam_preauth_available), PAM SSSD pam_sss SSSD , , . pam_sss . , , , , pam_sss . . Each supported authentication method has its own configuration subsection under "[prompting/...]". Currently there are: [prompting/password] ; : password_prompt [prompting/2fa] . : first_prompt second_prompt single_prompt . True, first_prompt. , . , , , '. ' , , . PAM, "[prompting/password/sshd]", . 1. SSSD. , -- , . [sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true min_id = 10000 max_id = 20000 enumerate = False 2. AD IPA, AD -. IPA (ipa.com) AD (ad.com). ad.com (child.ad.com). , . [domain/ipa.com/child.ad.com] use_fully_qualified_names = false 3. The following example shows the configuration of a certificate mapping rule. It is valid for the configured domain "my.domain" and additionally for the subdomains "your.domain" and uses the full certificate in the search filter. [certmap/my.domain/rule_name] matchrule = ^CN=My-CA,DC=MY,DC=DOMAIN$ maprule = (userCertificate;binary={cert!bin}) domains = my.domain, your.domain priority = 10 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS SSSD -- https://pagure.io/SSSD/sssd/ SSSD 04/09/2024 SSSD.CONF(5)