Chapitre 1. Configuring user authentication using authselect
authselect
is a utility that allows you to configure system identity and authentication sources by selecting a specific profile. Profile is a set of files that describes how the resulting Pluggable Authentication Modules (PAM) and Network Security Services (NSS) configuration will look like. You can choose the default profile set or create a custom profile.
1.1. What is authselect used for
You can use the authselect
utility to configure user authentication on a Red Hat Enterprise Linux 9 host.
You can configure identity information and authentication sources and providers by selecting one of the ready-made profiles:
-
The default
sssd
profile enables the System Security Services Daemon (SSSD) for systems that use LDAP authentication. -
The
winbind
profile enables the Winbind utility for systems directly integrated with Microsoft Active Directory. -
The
minimal
profile serves only local users and groups directly from system files, which allows administrators to remove network authentication services that are no longer needed.
After selecting an authselect
profile for a given host, the profile is applied to every user logging into the host.
Red Hat recommends using authselect
in semi-centralized identity management environments, for example if your organization utilizes LDAP or Winbind databases to authenticate users to use services in your domain.
You do not need to use authselect
if:
-
Your host is part of Red Hat Enterprise Linux Identity Management (IdM). Joining your host to an IdM domain with the
ipa-client-install
command automatically configures SSSD authentication on your host. -
Your host is part of Active Directory via SSSD. Calling the
realm join
command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
Red Hat recommends against changing the authselect
profiles configured by ipa-client-install
or realm join
. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary:
$ authselect current
Profile ID: sssd
Enabled features:
- with-sudo
- with-mkhomedir
- with-smartcard
1.1.1. Files and directories authselect modifies
The authconfig
utility, used in previous Red Hat Enterprise Linux versions, created and modified many different configuration files, making troubleshooting more difficult. Authselect
simplifies testing and troubleshooting because it only modifies the following files and directories:
| The GNU C Library and other applications use this Name Service Switch (NSS) configuration file to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name. |
| Linux-PAM (Pluggable Authentication Modules) is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users.
The configuration files in the Among other things, these files contain information about:
|
|
This directory holds configuration profiles for the |
1.1.2. Data providers in /etc/nsswitch.conf
The default sssd
profile establishes SSSD as a source of information by creating sss
entries in /etc/nsswitch.conf
:
passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files ...
This means that the system first looks to SSSD if information concerning one of those items is requested:
-
passwd
for user information -
group
for user group information -
netgroup
for NISnetgroup
information -
automount
for NFS automount information -
services
for information regarding services
Only if the requested information is not found in the sssd
cache and on the server providing authentication, or if sssd
is not running, the system looks at the local files, that is /etc/*
.
For example, if information is requested about a user ID, the user ID is first searched in the sssd
cache. If it is not found there, the /etc/passwd
file is consulted. Analogically, if a user’s group affiliation is requested, it is first searched in the sssd
cache and only if not found there, the /etc/group
file is consulted.
In practice, the local files
database is not normally consulted. The most important exception is the case of the root
user, which is never handled by sssd
but by files
.