10.2. Domain-access restriction options
The following options are available to restrict access to selected domains:
pam_trusted_users
in/etc/sssd/sssd.conf
-
This option accepts a list of numerical UIDs or user names representing the PAM services that SSSD trusts. The default setting is
all
, which means all service users are trusted and can access any domain. pam_public_domains
in/etc/sssd/sssd.conf
-
This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
all
andnone
values. The default value isnone
, which means no domains are public and untrusted service users cannot access any domain. domains
for PAM configuration filesThis option specifies a list of domains against which a PAM service can authenticate. If you use
domains
without specifying any domain, the PAM service will not be able to authenticate against any domain, for example:auth required pam_sss.so domains=
If the PAM configuration file uses
domains
, the PAM service is able to authenticate against all domains when that service is running under a trusted user.The
domains
option in the/etc/sssd/sssd.conf
SSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that thedomains
option in a PAM configuration file cannot extend the list of domains insssd.conf
, it can only restrict thesssd.conf
list of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not insssd.conf
, the PAM service cannot authenticate against the domain.
The default settings pam_trusted_users = all
and pam_public_domains = none
specify that all PAM service users are trusted and can access any domain. Using the domains
option for PAM configuration files restricts the access to the domains.
Specifying a domain using domains
in the PAM configuration file while sssd.conf
contains pam_public_domains
also requires to specify the domain in pam_public_domains
. The pam_public_domains
option without including the required domain leads the PAM service to unsuccessful authentication against the domain in case this service is running under an untrusted user.
Domain restrictions defined in a PAM configuration file apply to authentication actions only, not to user lookups.
Ressources supplémentaires
-
For more details on the
pam_trusted_users
andpam_public_domains
options, see thesssd.conf(5)
man page. -
For more details on the
domains
option used in PAM configuration files, see thepam_sss(8)
man page.