13.2.27. Seeding Users into the SSSD Cache During Kickstart
Note
Adding user accounts manually requires the sssd-tools package to be installed.
With SSSD, users in a remote domain are not available in a local system until that identity is retrieved from the identity provider. However, some network interfaces are not available until a user has logged in — which is not possible if the user identity is somewhere over the network. In that case, it is possible to seed the SSSD cache with that user identity, associated with the appropriate domain, so that the user can log in locally and active the appropriate interfaces.
This is done using the
sss_seed
utility:
sss_seed --domain EXAMPLE.COM --username testuser --password-file /tmp/sssd-pwd.txt
This utility requires options that identify, at a minimum, the user name, domain name, and password.
--domain
gives the domain name from the SSSD configuration. This domain must already exist in the SSSD configuration.--username
for the short name of the user account.--password-file
for the path and name of a file containing a temporary password for the seed entry. If the user account already exists in the SSSD cache, then the temporary password in this file overwrites the stored password in the SSSD cache.
Additional account configuration options are listed in the
sss_seed(8)
man page.
This would almost always be run as part of a kickstart or automated setup, so it would be part of a larger set of scripts, which would also enable SSSD, set up an SSSD domain, and create the password file. For example:
function make_sssd { cat <<- _EOF_ [sssd] domains = LOCAL services = nss,pam [nss] [pam] [domain/LOCAL] id_provider = local auth_provider = local access_provider = permit _EOF_ } make_sssd >> /etc/sssd/sssd.conf authconfig --enablesssd --enablesssdauth --update function make_pwdfile { cat <<1 _EOF_ password _EOF_ } make_pwdfile >> /tmp/sssd-pwd.txt sss_seed --domain EXAMPLE.COM --username testuser --password-file /tmp/sssd-pwd.txt