Chapter 9. Reporting on user access on hosts using SSSD
The Security System Services Daemon (SSSD) tracks which users can or cannot access clients. This chapter describes creating access control reports and displaying user data using the sssctl
tool.
Prerequisites
- SSSD packages are installed in your network environment
9.1. The sssctl command
sssctl
is a command-line tool that provides a unified way to obtain information about the Security System Services Daemon (SSSD) status.
You can use the sssctl
utility to gather information about:
- Domain state
- Client user authentication
- User access on clients of a particular domain
- Information about cached content
With the sssctl
tool, you can:
- Manage the SSSD cache
- Manage logs
- Check configuration files
The sssctl
tool replaces sss_cache
and sss_debuglevel
tools.
Additional resources
-
sssctl --help
9.2. Generating access control reports using sssctl
You can list the access control rules applied to the machine on which you are running the report because SSSD controls which users can log in to the client.
The access report is not accurate because the tool does not track users locked out by the Key Distribution Center (KDC).
Prerequisites
- You must be logged in with administrator privileges
-
The
sssctl
tool is available on RHEL 7 and RHEL 8 systems.
Procedure
To generate a report for the
idm.example.com
domain, enter:[root@client1 ~]# sssctl access-report idm.example.com 1 rule cached Rule name: example.user Member users: example.user Member services: sshd
9.3. Displaying user authorization details using sssctl
The sssctl user-checks
command helps debug problems in applications that use the System Security Services Daemon (SSSD) for user lookup, authentication, and authorization.
The sssctl user-checks [USER_NAME]
command displays user data available through Name Service Switch (NSS) and the InfoPipe responder for the D-Bus interface. The displayed data shows whether the user is authorized to log in using the system-auth
Pluggable Authentication Module (PAM) service.
The command has two options:
-
-a
for a PAM action -
-s
for a PAM service
If you do not define -a
and -s
options, the sssctl
tool uses default options: -a acct -s system-auth
.
Prerequisites
- You must be logged in with administrator privileges
-
The
sssctl
tool is available on RHEL 7 and RHEL 8 systems.
Procedure
To display user data for a particular user, enter:
[root@client1 ~]# sssctl user-checks -a acct -s sshd example.user user: example.user action: acct service: sshd ....
Additional resources
-
sssctl user-checks --help