sssd.conf(5): working sssd.conf with all default values

# # /etc/sssd/sssd.conf : Configuration file for sssd and all its subservices # sssd.conf(5) # 2024-02-28 George Marselis george.marselis@vetinst.no

# FILE FORMAT # # The file has an ini-style syntax and consists of sections and parameters. # A section begins with the name of the section in square brackets, # e.g. [sssd] . It continues until the next section begins. Here is an # example of the general BNF syntax of a section, utilizing single # and multi-valued parameters: # # [section] # key = value # key2 = value2,value3 # # DATA TYPES FOR VALUES # # The data types used for the values are string , integer and boolean. # Quoting is not required. # # COMMENTING # # A comment line starts with a hash sign '#' or a # semicolon ';'. Inline comments are not supported. # # CASE SENSITIVE values ? https://github.com/SSSD/sssd/issues/7345 # # All sections can have an optional description parameter, purely as a # label for the section. ???? DISCARDED DURING PARSIN? # # FILE, FILE OWNERSHIP AND FILE PERMISSIONS # # sssd.conf must be a regular file. It must be owned by root:root only, and # read/write by root only. # Incorrect file permissions will prevent the daemon from starting. https://github.com/SSSD/sssd/issues/7346

# File is made up of the following sections: # [sssd] # [nss] # [pam] # [sudo] # [autofs] # [ssh] # [pac] # [rec] # [domain/YOUR_DOMAIN] # # Each section corresponds to the configuraion of an SSSD subprocess. You # can break down each section in sssd/conf.d/ . Only files ending in .conf # are read. Each file under sssd/conf.d/ is lexicographically added to # create the main sssd/sssd.conf file in memory. # # The parameters for each of the subprocesses of SSSD can be found their # relevant man pages: # pam_sss (8) - PAM module for SSSD # pam_sss_gss (8) - PAM module for SSSD GSSAPI authentication # sss-certmap (5) - SSSD Certificate Matching and Mapping Rules # sss_cache (8) - perform cache cleanup # sss_obfuscate (8) - obfuscate a clear text password # sss_override (8) - create local overrides of user and group attributes # sss_rpcidmapd (5) - sss plugin configuration directives for rpc.idmapd # sss_seed (8) - seed the SSSD cache with a user # sss_ssh_authorizedkeys (1) - get OpenSSH authorized keys # sss_ssh_knownhostsproxy (1) - get OpenSSH host keys # sssd-ad (5) - SSSD Active Directory provider # sssd-files (5) - SSSD files provider # sssd-ifp (5) - SSSD InfoPipe responder # sssd-ipa (5) - SSSD IPA provider # sssd-kcm (8) - SSSD Kerberos Cache Manager # sssd-krb5 (5) - SSSD Kerberos provider # sssd-ldap (5) - SSSD LDAP provider # sssd-ldap-attributes (5) - SSSD LDAP Provider: Mapping Attributes # sssd-session-recording (5) - Configuring session recording with SSSD # sssd-simple (5) - the configuration file for the 'simple' access-control provider of SSSD # sssd-sudo (5) - Configuring sudo with the SSSD back end # systemtap (5) - SSSD systemtap information # sssd_krb5_localauth_plugin (8) - Kerberos local authorization plugin # sssd_krb5_locator_plugin (8) - Kerberos locator plugin

# # FIXME FIXME FIXME what happens if a section is duplicate? #

[sssd]

# each section can have a 'description' variable description = "The sss daemon configuration section"

# Output Fatal failures, Critical failures, Serious failures, Minor failures, # Configuration settings, Function data, Trace messages for operation # functions and Trace messages for internal control functions # 0-10, 10 max # Also see sssctl debug-level debug_level = 7

# Indicate what the syntax version of the config file. SSSD 0.6.0 and # later use version 2 config_file_version = 2

# Comma separated list of services that are started when sssd itself starts. # The list of services is optional on platforms where systemd is supported, # as they will either be socket or D-Bus activated when needed. # By default, all services are disabled and the administrator must enable # the ones allowed to be used by executing # for service in $( echo "nss pam sudo autofs ssh pac ifp"); do \ # systemctl enable sssd-$service.socket; done # and # for service in $( echo "nss pam sudo autofs ssh pac ifp"); do \ # systemctl enable sssd-$service.service; done services = nss,pam,sudo,autofs,ssh,pac,ifp

# Number of times services should attempt to reconnect in the event of # a Data Provider crash or restart, before they give up # Default: 3 reconnection_retries = 3

# A domain is a database containing user information. SSSD can use more # domains at the same time, but at least one must be configured or SSSD # won't start. This parameter describes the list of domains in the order # you want them to be queried. A domain name is recommended to contain # only alphanumeric ASCII characters, dashes, dots and underscores. # '/' character is forbidden. domains = vetinst.no

# The default regular expression that describes how to parse the string # containing the user name and the domain into individual components. # Each domain can also have an individual regular expression configured. # For some ID providers there are also default regular expressions. # See sssd.conf(5) DOMAIN SECTIONS for more info on these regular expressions. ## re_expression =

# A printf(3)-compatible format that describes how to compose a fully # qualified name from the user name and domain name components. ## full_name_format =

# Monitor the state of resolv.conf to identify when there is a need to update # the internal DNS resolver. monitor_resolv_conf = True

# SSD will attempt to use inotify to monitor configuration files changes # and will fall back to polling every five seconds if inotify cannot be used. try_inotify = True

# the name of the default replay cache. The default is dfl: (domain functional # level. It is subject to parameter expansion according to platform # it set with a default value in /etc/krb5.conf , so leave this alone # and commented out ##krb5_rcache_dir = # # Default domain name for all names without a domain name component. Used when # the primary domain is intended for managing host policies and all users are # located in a trusted domain # # Setting this option changes default of use_fully_qualified_names to True. # It is not allowed to use this option together with use_fully_qualified_names # set to False. see man(5) sssd.conf for detqails ##default_domain_suffix = # # Replace spaces (space bar) with the given character for user and group # names. Used for compatibility with shell scripts that have difficulty # handling spaces, due to the default field separator in the shell. ## override_space =

# Restrict/tune certificate verification. Options are comma-seperated. # Valid options: # no_ocsp, soft_ocsp, ocsp_dgst=sha1|sha256|sha384|sha512, # no_verification, partial_chain, ocsp_default_responder=URL, # ocsp_default_responder_signing_cert=NAME, # crl_file=/PATH/TO/CRL/FILE, soft_crl # # Default: do not restrict certificate verification ## certificate_verification =

# Monitor changes to routes, addresses, links and trigger appropriate actions # for sssd. Disabling this is desireable when the state should not affect sssd # Default : False disable_netlink = False

# If you enable this option, a small implicit domain, like so: # [domain/files] # id_provider = files # # The implicit domain is prepended before any explicitely ones. # The effect is that local files (/etc/passwd, /etc/group, etc) # are mirrored/ingested into sssd. Also, provides efficient caching of # local users and groups. # Look into sssd-files(5) for more details # # Default : False ## enable_files_domain = False

# Comma separated list of domains and subdomains representing the lookup # order that will be followed. # Order of lookup may be important when the same username/uid exists in # multiple domains, but not the full name format is used to log in the user # # Default: Do not set, unless you need it ## domain_resolution_order = vetinst.no

# A PAC (Privilege Attribute Certificate) is a data structure used in # Microsoft Windows environments for representing a user's security # privileges and group memberships. It contains information such as group # memberships of a user, authorization data, and other security-related # attributes # # implicit_pac_responder = True enables the SSSD (System Security Services # Daemon) to automatically respond to requests for PAC data, which is needed # for certain Windows authentication scenarios, such as AD domain # authentication, cross-domain authentication, Kerberos Constrained # Delegation ( allow a service to impersonate a user and access resources on # behalf of that user ) and Authorization and Access Control. # # Defaul: True implicit_pac_responder = True

# General system hardening: setting it to 'false' forbids core dumps for all # SSSD processes to avoid leaking plain text passwords # # Default: True core_dumpable = True

[nss]

# each section can have a 'description' variable description = "The sss_nss sub-process configuration section"

# Number of times services should attempt to reconnect in the event of a # Data Provider crash or restart before they give up # Default: 3 reconnection_retries = 3

# Maximum number of file descriptors that may be opened at one time by this # SSSD process. # # Default: 8192 (or limits.conf "hard" limit) # Let this be decided dynamically ## fd_limit = 8192

# Seconds that a client of an SSSD process can hold onto a file descriptor # without communicating on it. Limited in order to avoid resource # exhaustion on the system. # # Default = 60 (if lower than 10, it will be reset to 10) # Exception: Kerberos Credential Manager (KCM), time out # is 300 seconds/5 minutes # Discrepancy might be due to different default settings and behaviors # between the SSSD configuration and the KCM component itself. client_idle_timeout = 60

# Seconds that an SSSD responder process can be up without being used. # Limited to avoid resource exhaustion. # # NOTE: Only has effect when SSSD is built with systemd support and # when services are either socket or D-Bus activated. # # Default: 300 responder_idle_timeout = 300

# Specify whether the responder should query all caches before querying # the Data Providers # # NOTE: we do not cache credentials, we proxy from AD. # # Default: False cache_first = False

# Seconds sss_nss should cache enumerations: the requests for info about # all users # # Default: 120 enum_cache_timeout = 120

# Automatically update entries in the background if they are requested # beyond a percentage of the entry_cache_timeout value for the domain. # # Default: 50 | Valid values: 0-99, 0 to disable entry_cache_nowait_percentage = 50

# Seconds sss_nss should cache negative cache hits (queries for invalid # database entries) before asking again. # # Default: 15 entry_negative_timeout = 15

# Seconds sss_nss should keep local users and groups in negative cache # before trying to look them up in the back end again. # # Default: 14400 (4 hours) | 0 disables the feature local_negative_timeout = 14400

# Exclude certain users from being fetched from the NSS database of the # daemon. This is particularly useful for system accounts. This option # can also be set per-domain or include fully-qualified names to filter # only users from the particular domain or by a user principal name (UPN). # # Default: root filter_users = root

# Exclude certain groups from being fetched from the NSS database of the # daemon. This is particularly useful for system groups. This option # can also be set per-domain or include fully-qualified names to filter # only users from the particular domain or by a user principal name (UPN). # # NOTE: The filter_groups option doesn't affect inheritance of nested group # members, since filtering happens after they are propagated for # returning via NSS: a super group having a member group filtered out # will still have the member users of the member group listed. # # Default: root filter_groups = root

# Enable membership of filtered users as group members. Disable if # not desired. # # Default: True filter_users_in_groups = True

# Override the location of the home directory of a user. You can either # provide an absolute value or a template. In the template, the following # sequences are substituted: # # %u : Login name # %U : UID number # %d : Domain name # %f : Fully qualified user name (user@domain) # %l : The first letter of the login name # %P : UPN - User Principal Name (user@REALM or user@domain) # %o : The original home directory retrieved from the identity provider. # %h : The original home directory retrieved from the identity provider, but in lower case. # %H : The value of configure option homedir_substring. # %% : A literal '%' # # This option can also be set per domain and per section. # # NOTE: The home directory from a specific override for the user, either # locally or centrally managed IPA id-overrides, has a higher # precedence. It will be used instead of the value given by # override_homedir. See sss_override(8) for details. # # https://github.com/SSSD/sssd/issues/7348

# Default: Not set (SSSD will use the value retrieved from LDAP) ## override_homedir = /home/%u ## override_homedir = /data/posit/home/%d/%u

# Ssed in expansion of override_homedir if the template contains the format # string %H. An LDAP directory entry can directly contain this template so # this option can be used to expand the home directory path for each client # machine (or operating system). It can be set per-domain or globally in the # [nss] section. # # NOTE: A value specified in a domain section will override one set in this # section. # # This option can also be set per domain and per section # # Default: /home ## homedir_substring = /home

# Set a default template for the home directory of a user, if one is not specified # explicitly by the data provider of the domain. # # The available values for this option are the same as for override_homedir. # # Default: not set (no substitution for unset home directories) ## fallback_homedir =

# The default shell to use if the provider does not return one during # lookup. # # This option can be specified globally in the [nss] section or per domain. # # Default: not set | Returns NULL if no shell is specified and rely on # libc to substitute something sensible, usually /bin/sh ## default_shell = /bin/bash

# The default shell to use if an allowed shell is not installed # on the machine. # Default: /bin/sh ## shell_fallback = /bin/sh

# Override the login shell for all users. This option supersedes # any other shell options. It can be set globally in the [nss] # section or per domain. # # Default: not set (SSSD will use the value retrieved from LDAP) ## override_shell = /bin/bash

# default shell to use if an allowed shell is not installed on the machine. # # Default: /bin/sh ## shell_fallback = /bin/sh

# Restrict user shell to one of the listed values. The order of # evaluation is: # 1. If the shell is present in “/etc/shells”, it is used. # 2. If the shell is in the allowed_shells list but not in “/etc/shells”, use the value of the shell_fallback parameter. # 3. If the shell is not in the allowed_shells list and not in “/etc/shells”, the /usr/sbin/nologin shell is used. # # The wildcard (*) can be used to allow any shell. The wildcard is useful # if you want to use shell_fallback in case the shell of a user is not in # /etc/shells. An empty string for shell is passed as-is to libc. # /etc/shells is only read on SSSD start up. If you change it, restart SSSD # # Default: Not set. The user shell is automatically used. ## allowed_shells =

# Any shell found here will be replaced with the shell_fallback # Default: none ## vetoed_shells =

# Seconds the list of subdomains will be considered valid. # # Default: 60 get_domains_timeout = 60

# Seconds records in the in-memory cache will be valid. # # WARNING: Disabling the in-memory cache will have significant negative # impact on the performance of SSSD abdd should only be # used for testing # # NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set # to "NO", client applications will not use the fast in-memory # cache. # # Default: 300 memcache_timeout = 300

# Size in megabytes of the data table allocated inside fast in-memory # cache for passwd requests. Setting the size to 0 will disable the passwd # in-memory cache. # # WARNING: Disabled or too small in-memory cache can have significant # negative impact on the performance of SSSD # # NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", # client applications will not use the fast in-memory cache. # # Default: 8 memcache_size_passwd = 8

# Size (in megabytes) of the data table allocated inside fast in-memory # cache for group requests. Setting the size to 0 will disable the group # in-memory cache. # # WARNING: Disabled or too small in-memory cache can have significant # negative impact on the performance of SSSD # # NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", # client applications will not use the fast in-memory cache. # # Default: 6 memcache_size_group = 6

# Size in megabytes of the data table allocated inside the fast in-memory # cache for initgroups requests. Setting the size to 0 will disable the # initgroups in-memory cache. # # WARNING: Disabled or too small in-memory cache can have significant # negative impact on the performance of SSSD # # NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", # client applications will not use the fast in-memory cache. # # Default: 10 memcache_size_initgroups = 10

# Some of the additional NSS responder requests can return more attributes # than just the POSIX ones defined by the NSS interface. That list of # attributes is controlled by this option. It is handled the same way as # the “user_attributes” option of the InfoPipe responder but with no # default values. See sssd-ifp(5) for details. # # NOTE: The InfoPipe responder provides a public D-Bus interface accessible # over the system bus. The interface allows the user to query # information about remote users and groups over the system bus. # # NOTE: To make configuration more easy, the NSS responder will check the # sssd-ifp InfoPipe option if it is not set for the NSS responder. # # Default: not set, fallback to InfoPipe option ## user_attributes =

# The value that NSS operations that return users or groups will return # for the "password" field. # # NOTE: This option can also be set per domain. If set, it will override # the value in [nss] section # # Default: "" # Default: "not set" ( for the remote domains) # "x" ( for the files domain) # "x" (proxy domain with nss_files and sssd-shadowutils target) # ## pwfield = ""

[pam]

# each section can have a 'description' variable description = "The sss_pam sub-process configuration section"

# If the authentication provider is offline, define how many days SSSD # allows cached logins (in days since the last successful online login). # # Default: 0 (no limit) offline_credentials_expiration = 1

# How many failed login attempts are allowed, if the authentication # provider is offline # # Default: 0 (No limit) offline_failed_login_attempts = 3

# The time in minutes which has to pass after offline_failed_login_attempts # has been reached before a new login attempt is possible. # If set to 0 the user cannot authenticate offline if offline failed login # attempts has been reached. Only a successful online authentication can # enable offline authentication again. # # Default: 5 offline_failed_login_delay = 15

# Controls what kind of messages are shown to the user during authentication. # Higher verbosity will show more mesages. # Currently sssd supports the following values: # 0: do not show any message # 1: show only important messages # 2: show informational messages # 3: show all messages and debug information # # Default: 1 pam_verbosity = 3

# Comma separated list of strings which allows to remove (filter) data sent # by the PAM responder to sss_pam PAM module. There are different kind of # responses sent to pam_sss e.g. messages displayed to the user or # environment variables which should be set by pam_sss. While messages # already can be controlled with the help of the pam_verbosity option this # option allows to filter out other kind of responses as well. # # Currently the following filters are supported: # ENV Do not send any environment variables to any service. # ENV:var_name Do not send environment variable var_name to any service. # ENV:var_name:service Exclude from sending the environment variable var_name to service. # # The list of strings can either be the list of filters which would set this # list of filters and overwrite the defaults. Or each element of the list # can be prefixed by a '+' or '-' character which would add the filter to # the existing default or remove it from the defaults, respectively. Please # note that either all list elements must have a '+' or '-' prefix or none. # It is considered as an error to mix both styles. # # Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i # Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default # list pam_response_filter = ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i

# For any PAM request while SSSD is online, the SSSD will attempt to # immediately update the cached identity information for the user in order # to ensure that authentication takes place with the latest information. # A complete PAM conversation may perform multiple PAM requests, such as # account management and session opening. This option controls, on # a per-client-application basis, how long in seconds we can cache the # identity information to avoid excessive round-trips to the identity # provider. # # Default: 5 pam_id_timeout = 5

# Display a warning N days before the password expires. # # NOTE: that the backend server has to provide information about the # expiration time of the password. If this information is missing, sssd # cannot display a warning. # If zero is set, then this filter is not applied: if the expiration # warning was received from backend server, it will automatically be # displayed. # # NOTE: This setting can be overridden by setting pwd_expiration_warning for a particular domain. # # Default: 0 pam_pwd_expiration_warning = 10

# Specifies time in seconds for which the list of subdomains will be # considered valid. # Default: 60 get_domains_timeout = 60

# Specifies the comma-separated list of UID values or user names that are # allowed to run PAM conversations against trusted domains. Users not # included in this list can only access domains marked as public with option # "pam_public_domains". User names are resolved to UIDs at startup. # # NOTE: UID 0 is always allowed to access the PAM responder even if not in # the pam_trusted_users list. # # Default: All users are considered trusted by default ## pam_trusted_users =

# Comma-separated list of domain names that are accessible even to untrusted # users. Two values are defined: # all Untrusted users are allowed to access all domains. # none Untrusted users are not allowed to access any domains. # # Default: none pam_public_domains = none

# Print a custom expiration message, replacing the default 'Permission denied' # message. # # NOTE: Please be aware that message is only printed for the SSH service # unless pam_verbosity is set to 3: show all messages and debug # information. # # Default: none pam_account_expired_message = Account expired, please contact help desk.

# Print a custom lockout message, replacing the default 'Permission denied' # message. # # Default: none pam_account_locked_message = Account locked, please contact help desk.

# Enable certificate based Smartcard authentication. This requires # additional communication with the respective Smartcard stack. Enabling # introduces delays to the authentication process, so this option is # disabled by default. # # Default: False pam_cert_auth = False

# The path to the certificate database. The path points to a file with # trusted CA certificates and all their intermediatery chains. File must # be in PEM format. # # Default: /etc/sssd/pki/sssd_auth_ca_db.pem pam_cert_db_path = /etc/pki/tls/certs/vetinst.pem

# Ways to verify the PAM certificate. Values are the same comma separated # list of values which the "certificate_verification" option has. # Setting this option overrides the "certificate_verification" value in the # "[sssd]" section. When not set, sssd uses the value of the # 'certificate_verification' option defined in the afformentioned section. # # Valid options: # no_ocsp, soft_ocsp, ocsp_dgst=sha1|sha256|sha384|sha512, # no_verification, partial_chain, ocsp_default_responder=URL, # ocsp_default_responder_signing_cert=NAME, # crl_file=/PATH/TO/CRL/FILE, soft_crl # # Look at sssd.conf(5) for details # # Default: not set. ## pam_cert_verification =

# Seconds sss_pam has to wait for p11_child to finish. # # Default: 10 p11_child_timeout = 10

# PAM services which are permitted to contact domains of type "application" # # For more: # https://docs.pagure.org/sssd.sssd/design_pages/non_posix_support.html # # PAM service names are the service names from the contents of /etc/pam.d/ # # Default: Not set ## pam_app_services =

# Comma-separated list of PAM service names which will be allowed to use # Smartcards. # You can add another PAM service name to the default set by using # "+service_name" # or to explicitly remove a PAM service name by using # "-service_name" # even if the service in in the default set of services. # # The default set of PAM service names include: # login # su # su-l # gdm-smartcard # gdm-password # kdm # sudo # sudo-i # * gnome-screensaver # PAM service names are the service names from the contents of /etc/pam.d/ # # Example: ## # pam_p11_allowed_services = +my_pam_service, -login # This allows a custom PAM service name ("my_pam_service") and disables # # Default: Not set ## pam_p11_allowed_services

# Additional extra seconds to p11_child_timeout should the PAM responder # wait, if a Smartcard is inserted and Smartcard authentication is # required # # Default: 60 p11_wait_for_card_timeout = 60

# PKCS#11 URI which can be used to restrict the selection of devices used # for Smartcard authentication. By default, p11_child of SSSD will search # for a PKCS#11 slot or reader where the 'removable' flags is set and read # the certificates from the inserted token from the first slot found. If # multiple readers are connected, p11_uri can be used to tell p11_child to # use a specific reader. # See RFC-7512 for details on PKCS#11 URI # Example: # p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader # or # p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2 # # To find a suitable URI, please check the debug output of p11_child. As an # alternative the GnuTLS utility 'p11tool' will show PKCS#11 URIs, with the # '--list-all' option. # # Default: none ## p11_uri =

# Force the PAM responder to perform an online lookup to get the current # group memberships of the user trying to log in. This option controls # when this should be done and the following values are allowed: # always # Always do an online lookup, please note that pam_id_timeout still # applies # no_session # Only do an online lookup if there is no active session of the user, # i.e. if the user is currently not logged in # never # Never force an online lookup, use the data from the cache as long as they are not expired # # Default: no_session pam_initgroups_scheme = no_session

# Comma-separated list of PAM services that are allowed to try GSSAPI # authentication using pam_sss_gss.so module. # To disable GSSAPI authentication, set this option to “-” (dash). # # Note: This option can also be set per-domain which overwrites the value # in [pam] section. It can also be set for trusted domains, which will # overwrite the value in the domain section. # # Example: # pam_gssapi_services = sudo, sudo-i # # Default: - (GSSAPI authentication is disabled) pam_gssapi_services = -

# If True, SSSD will require that the Kerberos user principal that # successfully authenticated through GSSAPI can be associated with the # user who is being authenticated. Authentication will fail if the check # fails. # If False, every user that is able to obtained required service ticket # will be authenticated. # # Note: This option can also be set per-domain which overwrites the value # in the [pam] section. It can also be set for trusted domains which will # overwrite the value in the domain section. # # Default: True pam_gssapi_check_upn = True

# Comma-separated list of authentication indicators required to be present # in a Kerberos ticket to access a PAM service that is allowed to try # GSSAPI authentication using pam_sss_gss.so module. # #
# In GSSAPI, an authentication indicator is a data field that indicates # the authentication mechanism being used for secure communication, such # as Kerberos or NTLM. # # https://web.mit.edu/kerberos/krb5-latest/doc/admin/auth_indicator.html # As of release 1.14, the KDC can be configured to annotate tickets if # the client authenticated using a stronger preauthentication mechanism # such as PKINIT or OTP. These annotations are called "authentication # indicators." Service principals can be configured to require particular # authentication indicators in order to authenticate to that service. An # authentication indicator value can be any string chosen by the KDC # administrator; there are no pre-set values # # Each element of the list can be either an authentication indicator name # or a tupple "service:indicator". Indicators not prefixed with their # respective PAM service name are required to allow access any to any PAM # service configured to be used with pam_gssapi_services. The resulting list # of indicators per PAM service is then checked against indicators in the # Kerberos ticket during authentication by pam_sss_gss.so. Any indicator # from the ticket that matches the resulting list of indicators for the # PAM service is granted access. If none of the indicators in the list # match, access is denied. If the resulting list of indicators for the PAM # service is empty, access is not prevented. # # To disable GSSAPI authentication indicator check, set this option to # "-" ( single dash ) # To disable the check for a specific PAM service, set the service to # "serviceName:-" # # Note: This option can also be set per-domain. In such case, this will # overwrite the value in the [pam] section. It can also be set for each # trusted domain. Again, this will overwrite the value in the relevant # domain section. # # The following authentication indicators are supported by IPA Kerberos # deployments: # # pkinit -- pre-authentication using X.509 certificates -- whether # stored in files or on smart cards. # hardened -- SPAKE pre-authentication or any pre-authentication # wrapped in a FAST channel. # radius -- pre-authentication with the help of a RADIUS server. # otp -- pre-authentication using integrated two-factor authentication # (2FA or one-time password, OTP) in IPA. # * idp -- pre-authentication using external identity provider. # # Example: Require access to SUDO services only for users which # obtained their Kerberos tickets with a X.509 certificate # pre-authentication (PKINIT) # # pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit # # Default: not set (use of authentication indicators is not required) ## pam_gssapi_indicators_map

[sudo]

# each section can have a 'description' variable description = "The sss daemon sudo configuration section"

# These options can be used to configure the sudo service. The detailed # instructions for configuration of sudo(8) to work with sssd(8) are in # the manual page sssd-sudo(5).

# Evaluate the sudoNotBefore and sudoNotAfter attributes that implement # time-dependent sudoers entries. # # Default: false sudo_timed = False

# Maximum number of expired rules that can be refreshed at once. If number # of expired rules is below threshold, those rules are refreshed with # "rules refresh" mechanism. If the threshold is exceeded a "full refresh" # of sudo rules is triggered instead. This threshold number also applies to # IPA sudo command and command group searches. # # Default: 50 sudo_threshold = 50

[autofs]

# each section can have a 'description' variable description = "The sss daemon autofs configuration section"

# Specify for how many seconds should the autofs responder negative cache # hits (that is, queries for invalid map entries, like nonexistent ones) # before asking the back end again. # # NOTE: the automounter only reads the master map on startup, so if any # autofs-related changes are made to the sssd.conf, you also need to # restart the automounter daemon, after restarting SSSD. # # Default: 15 autofs_negative_timeout = 15

[ssh]

# each section can have a 'description' variable description = "The sss daemon ssh configuration section"

# Hash host names and addresses in the managed known_hosts file. # # Default: false ssh_hash_known_hosts = True

# Seconds to keep a host in the managed known_hosts file after its host # keys were requested. # # Default: 180 ssh_known_hosts_timeout = 180

# If set to True, sssd will use sss_ssh_authorizedkeys(1) to return ssh # keys derived from the public key of X.509 certificates stored in the # user entry as well. # See sss_ssh_authorizedkeys(1) for details. # # Essentially, what the above means is that there is an sssd responder # ( subsystem ) which can go through a X.509 certificate and return any # public ssh keys included in the certificate # https://jhrozek.fedorapeople.org/sssd/2.1.0/man/sss_ssh_authorizedkeys.1.html # https://docs.pagure.org/sssd.sssd/users/relnotes/notes_1_16_2.html # # > If the user entry contains certificates ... or there is a certificate # > in an override entry for the user ... and the certificate is valid, # > SSSD will extract the public key from the certificate and convert it # > into the format expected by sshd. # # Default: True ssh_use_certificate_keys = True

# By default the SSSD ssh responder will use all available certificate # matching rules to filter the certificates, so that ssh keys are only # derived from the matching ones. With this option the used rules can be # further restricted with a comma separated list of mapping and matching # rule names. All other rules will be ignored. # # Available values are 'all_rules' and 'no_rules' . Each will enable all # or no rules, respectively. The latter means that no certificates will # be filtered out and ssh keys will be generated from all valid # certificates. # # If no rules are configured using 'all_rules' will enable a default rule # which enables all certificates suitable for client authentication. This # is the same behavior the SSSD PAM responder uses, if certificate # authentication is enabled. # # A non-existing rule name is considered an error. If no rule is selected # as a result, all certificates will be ignored. # # Default: not set, equivalent to 'all_rules', all found rules or the # default rule are used ssh_use_certificate_matching_rules = all_rules

# Path to file storing trusted CA certificates, in PEM format. The option # is used to validate user certificates before deriving public ssh keys # from them. # # Default: /etc/sssd/pki/sssd_auth_ca_db.pem ca_db = /etc/sssd/pki/sssd_auth_ca_db.pem

[pac]

# each section can have a 'description' variable description = "The sss daemon pac configuration section"

# a PAC (Privilege Attribute Certificate) is a data structure used in # Kerberos authentication to carry additional authorization information, # such as group memberships and other attributes, alongside the regular # Kerberos ticket.

## PAC responder configuration options # The PAC responder works together with the authorization data plugin # for MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The # plugin sends the PAC data during a GSSAPI authentication to the PAC # responder. The sub-domain provider collects domain SID and ID ranges # of the domain the client is joined to and of remote trusted domains # from the local domain controller. If the PAC is decoded and # evaluated, some of the following operations are done: # # If the remote user does not exist in the cache, user is created. The # UID is determined with the help of the SID. Trusted domains will have # UPGs and the GID will have the same value as the UID. The home # directory is set based on the subdomain_homedir parameter. The shell # will be empty by default, i.e. the system defaults are used, but can # be overwritten with the default_shell parameter. # # If there are SIDs of groups from domains which sssd knows about, the # user will be added to those groups. #

# Specify a comma-separated list of UID values or user names that are # allowed to access the PAC responder. User names are resolved to UIDs at # startup. Please note that although the UID 0 is used as the default, the # default value can be overwritten, if this option is set. If overwrite the # default, but you still want to allow the root user to have access to the # PAC responder, which would be the typical case, you have to add 0 to the # list of allowed UIDs as well. # # Default: 0 - only the root user is allowed to access the PAC responder allowed_uids = 0

# Lifetime of the PAC entry in seconds. As long as the PAC is valid, the # PAC data can be used to determine the group memberships of a user. # # Default: 300 pac_lifetime = 300

# Apply additional checks on the PAC of the Kerberos ticket which is # available in Active Directory and FreeIPA domains. # # NOTE: Kerberos ticket validation must be enabled to be able to check # the PAC ( krb5_validate option must be set to 'True' ) . This # is the default for the IPA and AD provider. If krb5_validate # is set to 'False', the PAC checks will be skipped. # # The following options are the accepted values. They can be used alone # or in a comma-separated list: # # no_check # The PAC must not be present. Even if present, no additional checks # will be performed. # # pac_present # The PAC must be present in the service ticket which SSSD will # request, with the help of the user's TGT. If the PAC is not # available, the authentication will fail. # # check_upn # If the PAC is present, check if the user principal name (UPN) # information is consistent. # # check_upn_allow_missing # This option should be used together with 'check_upn'. It handles # the case where a UPN is set on the server-side but is not read by # SSSD. # # The typical example is a FreeIPA domain where 'ldap_user_principal' # is set to a not existing attribute name. # # This was typically done to work-around issues in the handling of # enterprise principals by FreeIPA. The issue has been fixed and # there should not be a need to set 'ldap_user_principal'. The info # is maintained in the case it is needed, though. # # Currently, this option is set by default to avoid regressions in # such environments. A log message will be added to the system log # and SSSD's debug log in case a UPN is found in the PAC but not in # SSSD's cache. To avoid this log message it would be best to # evaluate if the 'ldap_user_principal' option can be removed. If # this is not possible, removing 'check_upn' will skip the test and # avoid the log message. # # upn_dns_info_present # The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'. # # check_upn_dns_info_ex # If the PAC is present and the extension to the UPN-DNS-INFO buffer # is available check if the information in the extension is consistent. # # * upn_dns_info_ex_present # The PAC must contain the extension of the UPN-DNS-INFO buffer, # implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'. # # Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex') pac_check = no_check #

[rec]

# each section can have a 'description' variable description = "The sss daemon Session recording configuration section"

# The following options can be used to configure session recording. Session # recording works in conjunction with tlog-rec-session(8), a part of the # tlog package, to log what users see and type when they log in on a text # terminal. See also: sssd-session-recording(5).

# Specify the scope of session recording: # none # No users are recorded. # some # Users/groups specified by users and groups options are recorded. # * all # All users are recorded. # # Default: none scope = none

# Comma-separated list of users to have session recording enabled. Matches # user names as returned by NSS, meaning after the possible space # replacement, case or any other sort of NSS changes. # # Default: Empty. Matches no users. ## users =

# Comma-separated list of user groups, members of which should have session # recording enabled. user names as returned by NSS, meaning after the # possible space replacement, case or any other sort of NSS changes. # # NOTE: Setting this option to anything has a considerable performance # cost, as each uncached request for a user requires retrieving # and matching of the groups the user is a member of. # # Default: Empty. Matches no groups. ## groups =

# Comma-separated list of users to be excluded from recording. Only # applicable if 'scope = all'. # # Default: Empty. No users excluded. ## exclude_users =

# Comma-separated list of groups, members of which should be excluded from # recording. Only applicable if 'scope = all'. # # NOTE: Setting this option to anything has a considerable performance # cost, as each uncached request for a user requires retrieving # and matching the groups the user is a member of. # # Default: Empty. No groups excluded. ## exclude_groups =

[domain/mydomain.on]

# each section can have a 'description' variable description = "The sss daemon session domain configuration section for domain/mydomain.on"

# Options present in a domain configuration section. Said section is named ## [domain/NAME]

# Explicitly enable or disable the domain. If set to "True", the domain is always # "enabled". If "False", the domain is always "disabled". # # If this option is not set, the domain is enabled only if it is listed # in the domains option in the “[sssd]” section. # enabled = True

# Specify whether the domain is meant to be used by POSIX-aware clients, # such as the NSS (Name Service Switch ), or by applications that do not # need POSIX data to be present or generated. Only objects from POSIX # domains are available to the operating system interfaces and utilities. # # Allowed values for this option are "posix" and "application". POSIX # domains are reachable by all services. Application domains are only # reachable from the InfoPipe responder and the PAM responder. For more # information, see sssd-ifp(5) # # NOTE: The application domains are currently well tested with # the id_provider option set to 'ldap', only. # For an easy way to configure non-POSIX domains, please # see the "Application domains" section. # # Default: posix domain_type = posix

# UID and GID limits for the domain. If a domain contains an entry that # is outside these limits, it is ignored. For users, this affects the # primary GID limit. The user will not be returned to NSS if either the # UID or the primary GID is outside the range. For non-primary group # memberships, those that are in range will be reported as expected. # # These ID limits affect even saving entries to cache, not only returning # them by name or ID. # # Default: 1 for min_id, 0 (no limit) for max_id min_id = 1 max_id = 0

# Determine if a domain can be enumerated, that is, whether the domain can # list all the users and group it contains. Note that it is not required # to enable enumeration in order for secondary groups to be displayed. # Enumerating a domain requires SSSD to download and store all user and # group entries from the remote server. # # NOTE: Enabling enumeration has a moderate performance impact on # SSSD while enumeration is running. It may take up to several # minutes after SSSD startup to fully complete enumerations. # During this time, individual requests for information will # go directly to LDAP. Responses may be slow, due to the heavy # enumeration processing. Saving a large number of entries to # cache after the enumeration completes might also be CPU # intensive as the memberships have to be recomputed. This can # lead to the sssd_be process becoming unresponsive or even # restarted by the internal watchdog. # # While the first enumeration run is trying to complete, requests for the # complete user or group lists may return no results until processing is # finished. Further, enabling enumeration may increase the time necessary # to detect network disconnection, as longer timeouts are required to # ensure that enumeration lookups are completed successfully. For more # information, refer to the man pages for the specific id_provider in use. # For the reasons cited above, enabling enumeration is not recommended, # especially in large environments. # # This parameter can have one of the following values: # True # Users and groups are enumerated # False # No enumerations for this domain # # Default: False enumerate = True

# Enable enumeration of any of autodetected trusted domains. The supported # values are: # all # All discovered trusted domains will be enumerated # none # No discovered trusted domains will be enumerated # Optionally, a list of one or more domain names can enable enumeration # just for those specific trusted domains. # # Default: none subdomain_enumerate = none

# Seconds nss_sss should consider entries valid before asking the backend # again. The cache expiration timestamps are stored as attributes of # individual objects in the cache. Changing the cache timeout only has # effect for newly added or expired entries. You should run the # sss_cache(8) tool in order to force refresh of entries that have already # been cached. # # Default: 5400 entry_cache_timeout = 5400

# The time in seconds nss_sss should consider user entries valid before # asking the backend again # # Default: equal to entry_cache_timeout (5400) entry_cache_user_timeout = 5400

# The time in seconds nss_sss should consider group entries valid before # asking the backend again # # Default: equal to entry_cache_timeout (5400) entry_cache_group_timeout = 5400

# The time in seconds nss_sss should consider netgroup entries valid before # asking the backend again # # Default: entry_cache_timeout (5400) entry_cache_netgroup_timeout = 5400

# The time in seconds nss_sss should consider service entries valid before # asking the backend again # # Default: entry_cache_timeout (5400) entry_cache_service_timeout = 5400

# The time in seconds nss_sss should consider hosts and networks entries # valid before asking the backend again # # Default: entry_cache_timeout (5400) entry_cache_resolver_timeout = 5400

# The time in seconds sudo should consider rules valid before asking the # backend again # # Default: entry_cache_timeout (5400) entry_cache_sudo_timeout = 5400

# The time in seconds the autofs service should consider automounter maps # valid before asking the backend again # # Default: entry_cache_timeout (5400) entry_cache_autofs_timeout = 5400

# The time in seconds to cache a host key for # # Default: entry_cache_timeout (5400) entry_cache_ssh_host_timeout = 5400

# The time in seconds to keep the local computer entry before asking the # backend again # # Default: entry_cache_timeout (5400) entry_cache_computer_timeout = 5400

# Specify how many seconds SSSD has to wait before triggering a background # refresh task which will refresh all expired or nearly expired records. # The background refresh will process users, groups and netgroups in the # cache. For users who have performed the initgroups operation in the # past[1], both the user entry and the group membership are updated. # [1] get group membership for user, typically at login # # This option is automatically inherited for all trusted domains. # If you want to set this value, considering setting it to # 3/4 * entry_cache_timeout. # # Cache entry will be refreshed by the background task when 2/3 of cache # timeout has already passed. If there are existing cached entries, the # background task will refer to their original cache timeout values # instead of current configuration value. This may lead to a situation in # which the background refresh task appears to not be working. This is by # design to improve offline mode operation and reuse of existing valid # cache entries. To make this change instant, the user may want to # manually invalidate existing cache. See sss_cache(8) for more details # on how to manipulate the SSSD cache # # Default: 0 (disabled) refresh_expired_interval = 0

# Determine if user credentials are also cached in the local LDB cache. # The cached credentials refer to passwords, includomg the first # (long term) factor of two-factor authentication, but not other # authentication mechanisms. Passkey and Smartcard authentications are # expected to work offline as long as a successful online authentication # is recorded in the cache without additional configuration. # # NOTE: While credentials are stored as a salted SHA512 hash, caching # the credentials can still potentially pose some security risk # in the case an attacker manages to get access to a cache file # and brute force attack a password against the cache. Access to # to a cache file normally requires privileged access. # # Default: False cache_credentials = False

# Determine the minimal length the first authentication factor (long term # password) must have to be saved as SHA512 hash into the cache, provided # 2-Factor-Authentication (2FA) is used and credentials are configured to # be cached. # Setting this value avoids the security trouble that any short PINs in a # PIN-based 2FA scheme are saved in the cache. If they were to be savd, it # would make them easy targets for brute-force attacks. # # Default: 8 cache_credentials_minimal_first_factor_length = 8

# Number of days entries are left in cache after last successful login. # After this limit, entries are removed from the cache. Set to 0 for # unlimited days. The value of this parameter must be greater than or # equal to offline_credentials_expiration. # Default: 0 (unlimited) account_cache_expiration = 0

# Display a warning N days before the password expires. If set set to zero # then this filter is not applied. But, if the expiration warning is # received from a backend server, it will automatically be displayed. # # NOTE: The backend server has to provide information about the # expiration time of the password. If this information is missing, # sssd cannot display a warning. Also, to use this feature, an auth # provider has to be configured for the backend. # # Default: 7 (Kerberos), 0 (LDAP) pwd_expiration_warning = 7

# The identification provider used for the domain. # Supported ID providers are: # proxy: Support a legacy NSS provider. # files: FILES provider. See sssd-files(5) for more information # on how to mirror local users and groups into SSSD. # ldap: LDAP provider. See sssd-ldap(5) for more information on # configuring LDAP as a provider. # ipa: FreeIPA and Red Hat Identity Management provider. See # sssd-ipa(5) for more information on configuring FreeIPA # as a provider. # ad: Active Directory provider. See sssd-ad(5) for more # information on configuring Active Directory as a provider. # # Default: https://github.com/SSSD/sssd/issues/7335 id_provider = ad

# Use the full name and domain as the login name of the user reported to # NSS. The format of the login name is described by the full_name_format # option for the specific domain # If set to True, all requests to this domain must use fully qualified # names. For example, if used in LOCAL domain that contains a "test" user, # getent passwd test would not find the user while getent passwd test@LOCAL # would.

# NOTE: This option has no effect on netgroup lookups due to their # tendency to include nested netgroups without qualified names. # For netgroups, all domains will be searched when an unqualified # name is requested. # # Default: False (True for trusted domain/sub-domains or if default_domain_suffix is used) use_fully_qualified_names = True

# Decide if SSSD return group members for group lookups. # # If set to TRUE, the group membership attribute is not requested from the # ldap server and group members are not returned when processing group # lookup calls, such as getgrnam(3) or getgrgid(3). As a result, # "getent group $groupname" would return the requested group as empty. # # Enabling this option is used for faster access provider checks for group # membership. This is especially true for groups containing many members. # # This option can be also set per subdomain or inherited via subdomain_inherit. # # Default: False ignore_group_members = False

# The authentication provider used for the domain. Supported auth providers # are: # ldap: Used for native LDAP authentication. See sssd-ldap(5) for more # information on configuring this provider. # krb5: Used for Kerberos authentication. See sssd-krb5(5) for more # information on configuring this provider. # ipa: FreeIPA and Red Hat Identity Management provider. See sssd-ipa(5) # for more information on configuring this provider. # ad: Active Directory provider. See sssd-ad(5) for more information on # configuring this provider. # proxy: Used for relaying authentication to some other PAM target. # none: Disables authentication explicitly. # # Default: the value of "id_provider", if set and can handle authentication requests. auth_provider = ad

# The access control provider used for the domain. Supported control # provider backends are: # # permit: Always allow access. This is also the only permitted access # provider used when connected to a local domain. # deny: Always deny access. # # allow and deny are two built-in access providers, in addition to any # included in installed backends. # # ldap: Use the LDAP provider to get access control. See sssd-ldap(5) # for more information on configuring this provider. # krb5: .k5login based access control. See sssd-krb5(5) for more # information on configuring this provider. # ipa: FreeIPA and Red Hat Identity Management provider. See # sssd-ipa(5) for more information on configuring this provider. # ad: Active Directory provider. See sssd-ad(5) for more information # on configuring this provider. # simple: Access control based on access or deny lists. See sssd-simple(5) # for more information on configuring this provider. # proxy: Access provider for relaying access control to another PAM module. # # Default: permit access_provider = ad

# The provider which should handle change password operations for the # domain.Supported change password providers are: # # none: Disallow password changes explicitly. # ldap: Use the LDAP provider to change a password stored in a LDAP # server. See sssd-ldap(5) for more information on configuring # this provider. # krb5: Use the Kerberos provider to change the Kerberos password. See # sssd-krb5(5) for more information on configuring this provider. # ipa: FreeIPA and Red Hat Identity Management provider. See # sssd-ipa(5) for more information on configuring this provider. # ad: Active Directory provider. See sssd-ad(5) for more information # on configuring this provider. # proxy: Use this provider to relay password changes to some other PAM # target. # # Default: Use the value of auth_provider, provided it is set and can # handle change password requests. chpass_provider = ad

# The SUDO provider used for the domain. Supported SUDO providers are: # # none: Disable users invoking SUDO explicitly. # ldap: Use the LDAP provider to retrieve rules stored in LDAP. See # sssd-ldap(5) for more information on configuring LDAP. # ipa: Use the FreeIPA and Red Hat Identity Management provider to # retrive sudo rules. See sssd-ipa(5) for more information on # configuring this provider. # ad: Active Directory provider. See sssd-ad(5) for more information # on configuring this provider. # # The detailed instructions for configuration of sudo_provider are in # the manual page sssd-sudo(5). There are many configuration options # that can be used to adjust the behavior. Please refer to "ldapsudo*" in sssd-ldap(5). # # NOTE: Sudo rules are periodically downloaded in the backgroundm # unless the sudo provider is explicitly disabled. # Set sudo_provider = none to disable all sudo-related # activity in SSSD. # # Default: Use the value of id_provider, if set. sudo_provider = ad

# The provider which should handle loading of SELinux settings. Supported # SELinux providers are: # # none: disallows fetching SELinux settings explicitly. # ipa: Load selinux settings from an IPA server. See sssd-ipa(5) for # more information on configuring this provider. # # NOTE: This provider will be called right after the access # provider. # # Default: Use the value of id_provider, if set and can handle SELinux # loading requests. https://github.com/SSSD/sssd/issues/7336 ## selinux_provider = none

# The provider which should handle fetching of subdomains. Supported # subdomain providers are: # # none: Disallow fetching subdomains explicitly. # ipa: Load the list of subdomains from a configured IPA server. # See sssd-ipa(5) for more information on configuring IPA. # ad: Load the list of subdomains from a configured Active Directory # server. See sssd-ad(5) for more information on configuring the # AD provider. # # NOTE: This value should be always the same as id_provider. # # Default: Use the value of id_provider, if set. subdomains_provider = ad

# The provider which configures and manages user session related tasks. # The only user session task currently provided with this options is the # integration with Fleet Commander, a tool to manage and deploy desktop # profiles across large networks under FreeIPA or Active Directory. # https://fleet-commander.org/ for more information. # Supported session providers are: # # none: does not perform any kind of user session related tasks. # ipa: Allow performing user session related tasks. See sssd-ipa(5) for more information on configuring IPA. # # NOTE: In order to have this feature working as expected, # SSSD must be running as root. # # Default: Use the value of id_provider, if set and can perform # session-related tasks. session_provider = none

# The autofs provider used for the domain. Supported autofs providers are: # # none: Disable the autofs provider explicitly. # ldap: Use the LDAP provider to load maps stored in LDAP. See # sssd-ldap(5) for more information on configuring LDAP. # ipa: Use the FreeIPA and Red Hat Identity Management provider to # load maps stored in an IPA server. See sssd-ipa(5) for more # information on configuring the IPA provider. # ad: Use the Active Directory provider to load maps stored in an AD # server. See sssd-ad(5) for more information on configuring the # AD provider. # # Default: Use the value of id_provider, if set. autofs_provider = ad

# The provider used for retrieving host identity information. Supported # hostid providers are: # # none: Disable retrieving hostid information explicitly. # ipa: Use the FreeIPA and Red Hat Identity Management provider to # load host identity stored in an IPA server. See sssd-ipa(5) # for more information on configuring the IPA provider. # # Default: Use the value of id_provider, if set. hostid_provider = none

# The provider which should handle hosts and networks lookups. Supported # resolver providers are: # # none: Disallow fetching hosts and networks explicitly. # proxy: Forward lookups to another NSS library. # See "proxy_resolver_lib_name" !!!! https://github.com/SSSD/sssd/issues/7337 !!!! # ldap: Use the LDAP provider to fetch hosts and networks stored in # LDAP. See sssd-ldap(5) for more information on configuring the # LDAP provider. # ad: Use the Active Directory provider to fetch hosts and networks # stored in AD. See sssd-ad(5) for more information on configuring # the AD provider. # # Default: Use the value of id_provider, if set. resolver_provider = ad

# Regular expression for this domain that describes how to parse the string # containing user name and domain into these components. The "domain" can # match either the SSSD configuration domain name. In the case of IPA use, # trust subdomains and Active Directory domains or the flat (NetBIOS) name # of the domain. # # Default: ^((?Pname>.+)@(?P<domain[^@])|(?P[^@]+))$ # This allows two different styles for user names: # username # username@domain.name # # Default for the AD and IPA provider: # ^(((?Pdomain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain[^@]+))|((?P[^@\]+)))$ # This allows three different styles for user names: # username # username@domain.name # domain\username # # The first two correspond to the general default. The third expression is # introduced to allow easy integration of users from Windows domains. # The default re_expression uses the '@' character as a separator between # the name and the domain. As a result of this setting, the default # expression does not accept the '@' character in short names, as it is # allowed in Windows group names. If a user wishes to use short names # which include the '@' character, they must create their # own re_expression. # # If not set, re_expression depends on the type of backend provider used. ## re_expression ==

# A printf(3)-compatible format string that describes how to compose a # fully qualified name from user name and domain name components. # The following expansions are supported: # %1$s: user name # %2$s: domain name as specified in the SSSD config file. # %3$s: domain flat name. Mostly usable for Active Directory # domains, both directly configured or discovered via IPA # trusts. # # Default: %1$s@%2$s full_name_format = %1$s@%2$s

# Choose the preferred address family to use when performing DNS lookups. # Supported values: # # ipv4_first: Try looking up IPv4 address, if that fails, try IPv6 # ipv4_only: Only attempt to resolve hostnames to IPv4 addresses. # ipv6_first: Try looking up IPv6 address, if that fails, try IPv4 # ipv6_only: Only attempt to resolve hostnames to IPv6 addresses. # # Default: ipv4_first lookup_family_order = ipv4_first

# Milliseconds SSSD would try to talk to a DNS server # before trying the next DNS server. # # https://github.com/SSSD/sssd/issues/7340 # # NOTE: If you use the AD provider, it will use this option for the # CLDAP ping timeouts as well # milliseconds are 10^-3 # # See section FAILOVER for more information about service resolution. # # Default: 1000 dns_resolver_server_timeout = 1000

# Seconds to wait to resolve a single DNS query before trying # the next DNS hostname or next DNS server in host # discovery. # # See section FAILOVER for more information about service resolution. # # Default: 3 dns_resolver_op_timeout = 3

# Seconds to wait for a reply from the internal fail over service before # assuming that the service is unreachable. If this timeout is reached, # the domain will continue to operate in offline mode. # # See section FAILOVER for more information about service resolution. # # Default: 6 dns_resolver_timeout = 6

# Configure use of the DNS resolver. The DNS resolver searches the domain # list defined in the "search" directive from the resolv.conf file. This # can lead to delays in environments with improperly configured DNS. # If fully qualified domain names or srv records are used in the SSSD # configuration, setting this option to FALSE will prevent using the # DNS resolver in such environments and prevent delays. # # Default: True dns_resolver_use_search_list = True

# Specify the domain SSSD should use, if service discovery is used in the # back end. # # https://github.com/SSSD/sssd/issues/7341 # # Default: Use the domain part of the hostname of the machine ## dns_discovery_domain =

# Override the primary GID value with the one specified. # # Default: - ## override_gid =

# Treat user and group names as case sensitive. Possible option values are: # True: Case sensitive. This value is invalid for AD provider. # Using this provider, user and group names are turned to # lowercase. # False: Case insensitive. # Preserving: Same as False (case insensitive), but does not lowercase # user and group names as the result of an NSS operation. # # NOTE 1: Regardless of the value used, name aliases, services and # protocol names are lowercased. # # NOTE 2: If you have a trusted domain provided by IPA, and you want # to set this value in any way, you need to set it to the # same value both in this client and in the SSSD on the IPA # server. # # This option can be also set per subdomain or inherited via # the option subdomain_inherit. # # Default: False for AD provider, True for all others. case_sensitive = False

# Comma-seperated list of configuration parameters which should be # inherited by any subdomain. The following parameters are those allowed # to be inherited, currently: # ldap_search_timeout # ldap_network_timeout # ldap_opt_timeout # ldap_offline_timeout # ldap_enumeration_refresh_timeout # ldap_enumeration_refresh_offset # ldap_purge_cache_timeout # ldap_purge_cache_offset # ldap_krb5_keytab FIXME FIXME FIXME (the value of krb5_keytab will be used if ldap_krb5_keytab is not set explicitly) # ldap_krb5_ticket_lifetime # ldap_enumeration_search_timeout # ldap_connection_expire_timeout # ldap_connection_expire_offset # ldap_connection_idle_timeout # ldap_use_tokengroups # ldap_user_principal # ignore_group_members # auto_private_groups # case_sensitive # # Example: # subdomain_inherit = ldap_search_timeout,ldap_network_timeout,\ # ldap_opt_timeout,ldap_offline_timeout,ldap_enumeration_refresh_timeout,\ # ldap_enumeration_refresh_offset,ldap_purge_cache_timeout,\ # ldap_purge_cache_offset,ldap_krb5_keytab,ldap_krb5_ticket_lifetime,\ # ldap_enumeration_search_timeout,ldap_connection_expire_timeout,\ # ldap_connection_expire_offset,ldap_connection_idle_timeout,\ # ldap_use_tokengroups,ldap_user_principal,ignore_group_members,\ # auto_private_groups,case_sensitive # # NOTE: This option is available only if the provider is the IPA or the AD provider. # # Default: none ## subdomain_inherit = ldap_search_timeout,ldap_network_timeout,ldap_opt_timeout,ldap_offline_timeout,ldap_enumeration_refresh_timeout,ldap_enumeration_refresh_offset,ldap_purge_cache_timeout,ldap_purge_cache_offset,ldap_krb5_keytab,ldap_krb5_ticket_lifetime,ldap_enumeration_search_timeout,ldap_connection_expire_timeout,ldap_connection_expire_offset,ldap_connection_idle_timeout,ldap_use_tokengroups,ldap_user_principal,ignore_group_members,auto_private_groups,case_sensitive

# Set the default value for all subdomains within this domain. # You can either provide an absolute path or printf(3)-like template. # In the template, the same sequences are substituted, as # in override_homedir: # # %u : Login name # %U : UID number # %d : Domain name # %f : Fully qualified user name (user@domain) # %l : The first letter of the login name # %P : UPN - User Principal Name (user@REALM or user@domain) # %o : The original home directory retrieved from the identity provider. # %h : The original home directory retrieved from the identity provider, but in lower case. # %H : The value of configure option homedir_substring. # %% : A literal '%' # # In subdomain_homedir, you can additionally use: # %F : flat (NetBIOS) name of a subdomain. # # NOTE: If set, this value can be overwriten by the value of the # override_homedir option. # # Default: /home/%d/%u subdomain_homedir = /data/posit/home/%u

# Various tags stored by the realmd configuration service for this domain. # Default: - realmd_tags (string)

# Seconds since last successful online authentication where cached # credentials can be use to authenticate a user, when SSSD is in offline # mode. If the credentials are incorrect, SSSD tries to go back to online # mode and connect upstream to retry retry authenticating the user. # # https://github.com/SSSD/sssd/issues/7351 # # This value is inherited by all trusted domains. At the moment it is not # possible to set a different value per trusted domain. # # Set to 0 to disable # # NOTE: If "cached_auth_timeout" is longer than "pam_id_timeout", the # backend could be called to handle "initgroups." # # Default: 0 (disabled) cached_auth_timeout = 0

# Local-to-this-particular-system user authentication methods policy. # # Some backends (LDAP, proxy) support only a password-based authentication # while others can handle # PKINIT-based Smartcard authentication (AD, IPA) # two-factor authentication (IPA) # * or other methods against a central authority. # # In such cases, authentication is only performed with the methods supported by the backend. # # There are three possible values for this option # match: Used to match offline and online states for Kerberos methods. # only: Ignore the online methods and only offer the local ones. # enable: : Explicitly define the methods for local authentication. E.g.: # "enable:passkey" enables passkey for local authentication, only. # Multiple enable values must be comma-separated: # "enable:passkey,enable:smartcard" # # https://github.com/SSSD/sssd/issues/7352 # # NOTE: Smartcard authentication can take higher precedence than the # authentication methods supported by the backend. If that happens, # user will be prompted for a PIN instead of a password prompt. # This depends on: # 1. Enabling local Smartcard authentication as as a a provider # 2. A Smartcard is present in a Smartcard reader #

# The following configuration example allows local users to authenticate # locally using any enabled method (i.e. smartcard, passkey). # # [domain/shadowutils] # id_provider = proxy # proxy_lib_name = files # auth_provider = none # local_auth_policy = only # # The "files" provider ignores the local_auth_policy option and supports # Smartcard authentication, by default. # # Default: match local_auth_policy = match

# Handle the way private groups are created for ??? primary description of option missing ??? # There are environments that wish to stop maintaining ??? (this needs fleshing out and rewording) a separate # group objects for the user private groups ??? , but also wish to retain the existing user private groups ??? where do these private groups come from ??? # # There are three available values: # # true: Create the private group of a user ??? unconditionally ???, # using the UID number of the user as the private GID. # Essentially, this creates a seperate group for the specific # user, much like users ??? in Linux ??? have the same uid/gid. # The GID number ??? provided by who ??? is ignored in this case. # ??? Whose GID number ??? # # NOTE: Because the GID number and the user private group are # inferred from the UID number, a user cannot have multiple # ??? entries where ??? entries with the same UID or GID # when using this option: Enabling this option enforces # uniqueness across the ??? which ID ??? ID space. # # false: Always use the primary GID number ??? PROVIDED BY WHO ??? of # the user. The ??? PROVIDED BY WHO? resulting? effective ??? # ??? GID number must refer to a group object in the LDAP database. ??? ??? is this option used in LDAP only? ??? # # hybrid: Autogenerate a primary group for those user entries where UID # and GID numbers must have the same value, but the GID number # does not correspond to a ??? (are there fake group objects) # real ??? group object in LDAP. # If the primary GID of the user matches to a group object in # LDAP, set the primary GID of the user to the LDAP group object # # If the ??? LDAP provided ??? UID and GID of a user are different # then the GID must correspond to a group entry ??? Where ???. # If the GID does not correspond ??? to a group entry in LDAP ??? # then the GID is simply not resolvable ??? what does this mean? What are the consequences ??? # # The value of auto_private_groups can either be set per subdomains in a # seperate subsection, for example: # # [domain/forest.domain/sub.domain] # auto_private_groups = false # # or globally for all subdomains in the main forest domain section using # the subdomain_inherit option: # # [domain/forest.domain] # subdomain_inherit = auto_private_groups # auto_private_groups = false # # Default: False for subdomains which use ??? what are assigned POSIX IDs??? assigned POSIX IDs; True for subdomains which use automatic ID-mapping. auto_private_groups = False

# The proxy target PAM proxies to. ??? please expand and give references ?? # # ??? Under what conditions would one use this option ?? # # If set, you have to assign an existing pam configuration or create a new # one and add the service name here. As an alternative, you can enable local # authentication with the local_auth_policy option. # ??? fleshing out, maybe example? ??? # # Default: Not set by default. ## proxy_pam_target =

# The name of the NSS library to use in proxy domains. The NSS functions # searched for in the library are in the form of # _nss_$(libName)_$(function). For example, _nss_files_getpwent . # # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/domain_configuration_options-configuring_a_proxy_domain\#:~:text=A%20proxy%20with%20SSSD%20is,not%20be%20able%20to%20use . # Specify which existing NSS library to proxy identity requests through ??? more fleshing out would be nice, even if its from RedHat docs ??? # The proxy library is loaded using the proxy_lib_name parameter. ??? why do we want to do that ??? # # Default: Not set by default. ## proxy_lib_name =

# The name of the NSS library to use for hosts and networks lookups in # proxy domains. The NSS functions searched for in the library are in # the form of _nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r. # # ??? Why would a sysadmin want to set this? what is the use case? what are the consequences ??? # ??? Maybe make a small section to explain? or point to the relevant places in the sssd-proxy ??? # # Default: Not set by default ## proxy_resolver_lib_name =

# When looking up a user or group by name in the proxy provider, a second # lookup by ??? what type of ??? ID is performed. We ask the provider if # the name of the user or the group submited is the primary name/object or # an alias. If it is an alias, we retried the primary name/object. # Setting this option to true would cause the SSSD to perform the ??? ID # lookup from cache for performance reasons. ??? rewording? expanding? # # Default: False proxy_fast_alias = False

# Specify the number of pre-forked proxy children when using the proxy # provider. Useful for high-load SSSD environments where sssd may run out # of available child slots ??? what is a child slot ???. ??? Allowing too many # forks would cause issues, either due to blocking or resource contention. ??? # # Default: 10 proxy_max_children = 10

# [Application domains]

# each section can have a 'description' variable # description = "The Application domains SSSD daemon configuration section"

# SSSD utilizes the Linux system D-bus[1] , via it's D-bus # interface ( sssd-ifp(5) ). As such, SSSD can be used to proxy any # D-bus-enabled application to any of the authentication and authorization # mechanisms available to SSSD. # # SSSD, as a Linux-based application, uses POSIX attributes to match # users and file ownership, meaning, it utilizes User IDs (uid) and Group # IDs (gid). For applications which have their own, non-POSIX compliant # user management system, SSSD can be configured as a bridge between the # app and POSIX. That is done either by inferring the uid/gid in the case # of the AD provider or by creating the required POSIX attributes and # keeping track of them. # # This is where application domains come into play: The system administrator # can configure a section for the specific application and can proxy calls # to AD or LDAP, for example, even if the original application is unaware # of such. The administrator can either configure the application by itself # or have it inherit properties from a domain. Application domain are # defined as [application/NAME_OF_APPLICATION] . We will explain domain # property inheritance through the following example: # # [sssd] # description = "Partial, relevant SSSD configuration" # domains = appdom, posixdom # # [ifp] # description = "sssd-ipf(5) is the Linux D-Bus provider" # user_attributes = +phone # # [domain/posixdom] # description = "definition and properties for domain posixdom. This domain uses POSIX attributes such as uid, gid and extended groups the user may be part of" # id_provider = ldap # ldap_uri = ldap://ldap.example.com # ldap_search_base = dc=example,dc=com # # [application/appdom] # description = "definition of the application domain appdom. This appilcation domain inherits the properties of the posixdom domain via the inherit_from property" # inherit_from = posixdom # ldap_user_extra_attrs = phone:telephoneNumber # # In this setup, we have two domains: # 1. One authentication domain using LDAP ( [domain/posixdom] ) # 2. One application domain ( [application/appdom] ) # # SSSD listens?subscribes? to the D-Bus for calls from the appdom # application, proxies authentication connections # to ldap://ldap.example.com and returns the relevant information to the # application. In addition, SSSD requests the telephoneNumber LDAP attribute # and stores it as the phone attribute in the ??? which cache ??? cache. SSSD # then, makes the phone attribute accesible to the application via D-Bus. As # long as you know what is the name of the property the application requests, # the application can retrieve the value of the property through the D-Bus # interface. # # NOTE: If you set up an application domain, you must explicitly # declare it in the [sssd] "domains" parameter. Not declaring # the application domain will confuse the lookup order between # the application domain and its POSIX parent domain. ??? is set correctly ??? clarify please # # ??? it is unclear how SSSD matches +phone to phone:telephoneNumber, since the two properties do not have the same name . ??? please expand # ??? is is also unclear how SSSD manages non-POSIX applications, especially the persistance of any translated values ??? please expand # ??? Also unclear: does SSSD force POSIX translation, or just proxies the connection ??? # # For more information, see sssd-ifp(5) # # All authorization domain properties can be inherited into an application # domain. That is done via the inherit_from application domain parameter: # # inherit_from (string) # # The SSSD authorization domain the application domain inherits all # settings from. The system administrator can further configure additional # application domain properties to the application domain. Any application # domain properties provided will either augment or override the parent # domain properties. # # Default: Not set # # References: # [1] D-Bus: https://www.freedesktop.org/wiki/Software/dbus/ # [2] POSIX standard: https://posix.opengroup.org/docs/base-2003.html # https://posix.opengroup.org/docs/base-2016.html

# TRUSTED DOMAINS # # A trusted domain is an Active Directory domain that establishes trust # relationships with other AD domains, allowing users in one domain to # access resources in another. It is Microsoft Windows Server terminology # and has been a technology available ever since Windows Server ??? 2006 ???. # Speciffically, an Active Directory forest is the highest-level logical # container in an Active Directory setup, housing domains, users, computers # and group policies[1]. SSSD, allows allows you to replicate that behavior # of Microsoft Server, so that a sysadmin can offer similar authentication # and authorization services under Linux. Active Directory is LDAP, Kerberos # and SMB/CIFS combined. In Linux SSSD brings all those protocols together. # Lets go through an example: # # Let us assume you are the system administrator in charge of a media # company that owns multiple media outlets. Each media outlet is distinct # but the IT storage is shared between multiple editors and journalists # in each individual media outlet. Let us name the media company Linux Tech Tips. # The media outlets under that company are named idropthings.foo and # destroyhardware.bar. As a system administrator, you can define a # domain and the individual trusted domains in SSSD for such a media company # this way: # # [domain/linuxtechtips.bom] # property1 = text1 # property2 = text2 # ... # # [domain/linuxtechtips.bom/idropthings.foo] # property1_for_this_trusted_domain_only = text1 # property2_for_this_trusted_domain_only = text2 # ... # # [domain/linuxtechtips.bom/destroyhardware.bar] # property1_for_this_trusted_domain_only = text1 # property2_for_this_trusted_domain_only = text2 # ... # # Most of the options in [domain/linuxtechtips.com] are inherited both # by [domain/linuxtechtips.bom/idropthings.foo] and by # [domain/linuxtechtips.bom/destroyhardware.bar] . # There are options, though, which can be used only in a trusted domain. # Specifically, those are: # # ldap_search_base # ldap_user_search_base # ldap_group_search_base # ldap_netgroup_search_base # ldap_service_search_base # ldap_sasl_mech # ad_server # ad_backup_server # ad_site # use_fully_qualified_names # pam_gssapi_services # pam_gssapi_check_upn # # There are # # For more details about these options see their individual description in this manual page. # # [1] For more information: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/using-the-organizational-domain-forest-model # # ??? There needs to be more fleshing out how each trusted domain interacts with each other: do they just inherit properties or can you map the property of one trusted domain to another? ??? # ??? Also, more fleshing out needs to happen about inheritance ??? # ??? Also, all the above mentioned properties: are they specifically used in trusted domains or they are those properties which are explicitelly inherrited from the top/forest/base(?) domain? ???

# [certificate mapping]

# each section can have a 'description' variable # description = "The Certificate Mapping SSSD daemon configuration section"

# SSSD can be configured to allow authentication with smartcards and SSL/PEM # certificates. In order to use such means of authentication, SSSD must be # able to map either type of certificate (card, SSL) to a user. This is done # in two ways: # 1. Embed the full certificate in the LDAP object of the user # ??? which attribute, specifically ??? ??? How does SSSD know which attribute to look up??? # 2. Direct SSSD to a certificate on disk or ??? other means ??? ( local override ) # # When using smartcard authentication, one must use the full certificate. ??? what full certificate? please expand ??? # ??? is there a reason the 'S' in smartcard is capitalized ??? # ??? sss_ssh_authorizedkeys(8) does not exist ??? # ??? how sss_ssh_authorizedkeys(1) has anything to do with certs? # please expand ??? # When using PAM for authentication, using a certificate might be # cumbersome or not even possible. ??? How? Why is it mentioned here? what is the relevancy? ??? # ??? if such an ability is given, give reference(s) to relevant guides ??? # # SSSD provides matching rules to map certificates to their respective # users. This is done by creating a section # [certmap/DOMAIN_NAME/RULE_NAME] # In the case of our example media company, this would be # [certmap/linuxtechtips.bom/fido_key_for_pod_bay_doors] , # given that a FIDO hardware key was required to access the pod bay doors. # # ??? What is the order of precedence? must the domain be declared before such a rule ??? # ??? Must the domain be joined for the rule to be applicable? what happens when we join and then leave the domain? is there a relevant error ??? # # The "files" provider has some built-in special properties: # # If maprule is not set for the specific rule, SSSD assigns the name # of the matching user to maprule as RULE_NAME # If a maprule is used both ??? a single user name or a template like # "{subject_rfc822_name.short_name}" must be in braces. Example: # "(username)" or "({subject_rfc822_name.short_name})" # ??? this makes no sense, please expand. Do you mean the maprule value matches both the username and the template name? ??? # ??? why is subject_rfc822_name mentioned here? what is short_name ? why does (username) have no braces? please expand ??? # * The file provider ignores the value of the "domains" option ??? How does that help? what are the side effects? ??? # # To get an idea of the use cases for certificate matching, please take a # look at the relevant design document "Matching and Mapping certificates" # at https://sssd.io/design-pages/matching_and_mapping_certificates.html # # ??? Rules can be inherited and prioritized over other rules. For an example of how rules are # inheritted and priotirized, please see Example sub-section C in the EXAMPLES section ??? # # SSSD certiticate matching sections utilize the following options to # facilitate matching: # ??? can these properties be used more than once per section? or one rule per user? ???

# Process only the certificates in the smartcard which match this # rule(???s???) . All other certificates are ignored. # Default: KRB5:clientAuth : Process only certificates which have the # Extended Key Usage (EKU) "clientAuth" # # ## matchrule =

# Tell SSSD how to match each user with each certificate. Providers # supported are either LDAP-based providers (ldap, AD or IPA) or the # files provider. # # For the LDAP-based providers, SSSD searches the provider for a specific # LDAP value. For the files provider, SSSD searches the disk? path? section? # for RULE_NAME to match the provided certificate with the user. ??? is this correct ??? #
# Default: # # LDAP:(userCertificate;binary={cert!bin}) for the LDAP-based providers # The RULE_NAME for the "files" provider which tries to find a user with the same name. # ??? "which tries to find a user with the same name" this needs expanding ??? # ## maprule =

# Comma separated list of domain names the rule should be applied for. # By default, a rule is only valid in the ??? domain | is this supposed to be singular? ??? configured in sssd.conf. # If the provider supports subdomains, this option is inherited to all subdomains, trusted and otherwise ??? check validity of statement ???. # # Default: the configured domain in [sssd], contained in the domains property value ## domains =

# Define rule priority ??? over other rules ???, by assigning an # unsigned integer value. Priority is given to the rule with the smallest # value: The higher the number, the lower the priority. "0" stands for the # highest priority while "4294967295" ( MAX_UINT ) is the lowest. # ??? kind of counter-intuitive, but ok ??? # # Default: the lowest priority ??? expand please: ??? # ??? what happens if sysadmin gives two rules the same priority ??? # ??? what happens if sysadmin forgets to assign a rule priority ??? # priority =

# [prompting configuration]

# each section can have a 'description' variable # description = "The section where we tell the SSSD daemon how to prompt users for authentication"

# You can configure the prompt SSSD presents to the user, both for a password # prompt and for a two-factor authentication (2FA) prompt. ??? That way you # can insert unique signatures in your prompt ??? What is the reason to do so? # # To configure the prompt for each type of authenentication, you have to set # either [prompting/password] or [prompting/2fa] . Each section supports # the following options: # # [prompting/password] # # Configure the prompt shown ??? to who? how? ?? # password_prompt = # # [prompting/2fa] # # Change the string of the prompt for the first factor ??? what does that look like to the user? who does the prompting? ??? # first_prompt = # # Change the string of the prompt for the second factor ??? what does that look like to the user? who does the prompting? ??? # second_prompt = # # Enable or disable a single, unified prompt for both the first and the # # second factor. If set to True, there will be only a single prompt. # # That prompt will use the value of first_prompt. The user is # # expected to enter both factors as a single string. # ??? EXAMPLE: How will the user do that? What will it look like to the user? how does the user seperate the password from the 2FA token? ??? # single_prompt = # # ??? Please note that both factors have to be entered here, even if the second factor is optional. ??? in the boolean value? please expand ??? # ??? If the second factor is optional and it should be possible to log in either only with the password or with both factors two-step prompting has to be used. ??? unclear. Rephrased below, please check validity: ??? # NOTE: When utilizing 2FA, [prompting/2fa].first_prompt and # [prompting/2fa].second_prompt have to be set, regardless # if the second factor is optional or not. # # The sysadmin can further granulize 2FA prompting use to services, by # adding a subsection with 2FA prompting as # [prompting/password/PAM_SERVICE_NAME] # For example: # [prompting/password/sshd] # password_prompt = "Password prompting for the SSH daemon" # # ??? Check validity: This will change the password prompt for the SSH # daemon from the PAM prompt "Password:" to # "Password prompting for the SSH daemon" ??? # # All services listed under /etc/pam.d/ are valid values. #

# > If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists SSSD's PAM module pam_sss will ask SSSD to figure out which authentication methods are available for the user trying to log in. Based on the results pam_sss will prompt the user for appropriate credentials. # I have no clue how to fit this in here and if it should even be here. Please help.

# [EXAMPLES]

# each section can have a 'description' variable # description = "The example configuration section"

# In this section we will illustrate examples of various SSSD configurations # using the built-in SSSD mechanisms and services. Specifically we have: # # A. Typical configurations # Typical configurations include the minimal needed properties to allow # users in a centrally-managed infastructure to log into the computer the # SSSD daemon is running on.+ # 1. A typical SSSD configuration using the LDAP provider # 2. A typical SSSD configuration using the AD provider # If set to True, all requests to this domain must use fully qualified # names. For example, if used in LOCAL domain that contains a "test" user, # getent passwd test would not find the user while getent passwd test@LOCAL # would. # ---------------------------------------------------------------------- # Example: # subdomain_inherit = ldap_search_timeout,ldap_network_timeout,\ # ldap_opt_timeout,ldap_offline_timeout,ldap_enumeration_refresh_timeout,\ # ldap_enumeration_refresh_offset,ldap_purge_cache_timeout,\ # ldap_purge_cache_offset,ldap_krb5_keytab,ldap_krb5_ticket_lifetime,\ # ldap_enumeration_search_timeout,ldap_connection_expire_timeout,\ # ldap_connection_expire_offset,ldap_connection_idle_timeout,\ # ldap_use_tokengroups,ldap_user_principal,ignore_group_members,\ # auto_private_groups,case_sensitive # ---------------------------------------------------------------------- # The following configuration example allows local users to authenticate # locally using any enabled method (i.e. smartcard, passkey). # # [domain/shadowutils] # id_provider = proxy # proxy_lib_name = files # auth_provider = none # local_auth_policy = only # ---------------------------------------------------------------------- # The value of auto_private_groups can either be set per subdomains in a # seperate subsection, for example: # # [domain/forest.domain/sub.domain] # auto_private_groups = false # # or globally for all subdomains in the main forest domain section using # the subdomain_inherit option: # # [domain/forest.domain] # subdomain_inherit = auto_private_groups # auto_private_groups = false # ---------------------------------------------------------------------- # ??? fleshing out, maybe example? ??? # Default: Not set by default. # proxy_pam_target = # ---------------------------------------------------------------------- # searched for in the library are in the form of # _nss_$(libName)_$(function). For example, _nss_files_getpwent . # proxy_lib_name = # proxy_resolver_lib_name = # ---------------------------------------------------------------------- # # 3. A typical SSSD configuration using the Kerberos provider # 4. A typical SSSD configuration using the IPA provider # 5. A typical SSSD configuration using the files provider # # B. Extended configurations # 1. An extended SSSD configuration using the LDAP provider # 2. A typical SSSD configuration using the AD provider # 3. An extended SSSD configuration using the Kerberos provider # Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i # Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default # list # pam_response_filter = ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i # 4. An extended SSSD configuration using the IPA provider # 5. An extended SSSD configuration using the files provider # # C. Configurations with inheritance # 1. SSSD configuration using the LDAP provider # 2. SSSD configuration using the AD provider # 3. SSSD configuration using the Kerberos provider # 4. SSSD configuration using the IPA provider # 5. SSSD configuration using the files provider # # D. Configurations using services # Example: ## # pam_p11_allowed_services = +my_pam_service, -login # This allows a custom PAM service name ("my_pam_service") and disables # ---------------------------------------------------------------------- # # Example: # p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader # or # p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2 # ---------------------------------------------------------------------- # Example: # pam_gssapi_services = sudo, sudo-i # ---------------------------------------------------------------------- # Example: Require access to SUDO services only for users which # obtained their Kerberos tickets with a X.509 certificate # pre-authentication (PKINIT) # pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit # ---------------------------------------------------------------------- # # 1. SSSD services configuration using the LDAP provider # 2. SSSD services configuration using the AD provider # 3. SSSD services configuration using the Kerberos provider # 4. SSSD services configuration using the IPA provider # The typical example is a FreeIPA domain where 'ldap_user_principal' # is set to a not existing attribute name. # 5. SSSD services configuration using the files provider # # E. Configuration using Application domains # 1. SSSD configuration using the LDAP provider # [sssd] # description = "Partial, relevant SSSD configuration" # domains = appdom, posixdom # # [ifp] # description = "sssd-ipf(5) is the Linux D-Bus provider" # user_attributes = +phone # # [domain/posixdom] # description = "definition and properties for domain posixdom. This domain uses POSIX attributes such as uid, gid and extended groups the user may be part of" # id_provider = ldap # ldap_uri = ldap://ldap.example.com # ldap_search_base = dc=example,dc=com # # [application/appdom] # description = "definition of the application domain appdom. This appilcation domain inherits the properties of the posixdom domain via the inherit_from property" # inherit_from = posixdom # ldap_user_extra_attrs = phone:telephoneNumber # ---------------------------------------------------------------------- # # 2. SSSD configuration using the AD provider # 3. SSSD configuration using the Kerberos provider # 4. SSSD configuration using the IPA provider # 5. SSSD configuration using the files provider # # F. Configurations with Trusted Domains # 1. SSSD Trusted Domains configuration using the LDAP provider # 2. SSSD Trusted Domains configuration using the AD provider # 3. SSSD Trusted Domains configuration using the Kerberos provider # 4. SSSD Trusted Domains configuration using the IPA provider # 5. SSSD Trusted Domains configuration using the files provider # # G. Configurations with Certificate Mapping # 0. Small Introduction # Further resources # 1. SSSD Trusted Domains configuration using the LDAP provider # 2. SSSD Trusted Domains configuration using the AD provider # 3. SSSD Trusted Domains configuration using the Kerberos provider # 4. SSSD Trusted Domains configuration using the IPA provider # 5. SSSD Trusted Domains configuration using the files provider # # H. Configurations with 2FA and multi-factor authentication # 0. Small Introduction # Further resources # 1. SSSD 2FA configuration using the LDAP provider # 2. SSSD 2FA configuration using the AD provider # 3. SSSD 2FA configuration using the Kerberos provider # 4. SSSD 2FA configuration using the IPA provider # 5. SSSD 2FA configuration using the files provider # # # ---------------------------------------------------------------------- # # A.1: A typical SSSD configuration using the LDAP provider # # The following example shows a typical SSSD config using the LDAP # provider. # # [sssd] # domains = LDAP # services = nss, pam # config_file_version = 2 # # [nss] # filter_groups = root # filter_users = root # # [pam] # # [domain/LDAP] # id_provider = ldap # ldap_uri = ldap://ldap.example.com # ldap_search_base = dc=example,dc=com # auth_provider = krb5 # krb5_server = kerberos.example.com # krb5_realm = EXAMPLE.COM # cache_credentials = true # enumerate = False # min_id = 10000 # max_id = 20000 # # In [sssd], we define a domain called LDAP, which has two services. # We also explicitelly set the version of the config file ??? because why ??? . # # In the [nss] section we filter the root user and the root group, so they \# will not be able to log in. The [pam] section has no properties ??? why not ??? \# \# In the domain[domain/LDAP], we tell SSSD that it will be using the \# LDAP provider to ??? authenticate ??? users. We set the LDAP URI and \# give the string where the search base will take place. For authorization \# to sign into LDAP, we use a Kerberos token, hence the definition of a \# Kerberos server and a Kerberos realm. We instruct SSSD to cache any \# credentials it comes by and we tell it to not pre-enumerate all the \# object IDs in LDAP. Setting enumerate to True will certainly make the \# later access faster, but it will take a long time to go through the \# entire LDAP catalogue, especially since searching in LDAP is O(n) \# Lastly, we set the minimum and maximum user ID, 10000 and 20000, \# respectivelly. \# \# ??? What happens if we need to lower the value of min_id? ??? \# ??? What happens if we need to increase the value of max_id? ??? \# ??? Do we need to do some user renumbering? \# \# ---------------------------------------------------------------------- \# \# F.4: SSSD Trusted Domains configuration using the IPA provider \# In this example we have an AD forest in order to demonstrate a \# parent-child relationship. The forest consists of two domains, \#ipa.comandad.com.ad.comhas a DNS subdomain,child.ad.com \# \# We want to use short domain names to save time inchild.ad.com` ??? to save time typing ??? # # [domain/ipa.com/child.ad.com] # use_fully_qualified_names = false # # ??? This example needs expansion, along with all inherited and trusted domains. # ??? The following example shows configuration of IPA AD trust ??? not clear, please explain # # # G.0: Configurations with Certificate Mapping # The following example shows the configuration of a certificate mapping # rule. The rule is valid for the configured domain "my.domain" and for # the subdomains "your.domain". It uses the certificate from LDAP in # the search filter ??? which causes what ??? # # # [certmap/my.domain/rule_name] # matchrule = ^CN=My-CA,DC=MY,DC=DOMAIN$ # maprule = (userCertificate;binary={cert!bin}) # domains = my.domain, your.domain # priority = 10 # # ??? we need a second rule here to show priority. Please help me write a second one ??? # ----------------------------------------------------------------------

# SEE ALSO # # ??? maybe expand here what each man page contains? one line per man page ???? # # sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), # sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), # sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), # sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), # sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)

[domain/mydomain.on] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = False krb5_realm = MYDOMAIN.ON realmd_tags = manages-system joined-with-adcli fallback_homedir = /data/posit/home/%u ad_domain = mydomain.on ldap_id_mapping = True #ad_gpo_map_service = +rstudio

SSSD / sssd

sssd.conf(5): working sssd.conf with all default values #7383