Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 8. Reporting on user access on hosts using SSSD

The Security System Services Daemon (SSSD) tracks which users can or cannot access clients. This chapter describes creating access control reports and displaying user data using the sssctl tool.

Prerequisites

  • SSSD packages are installed in your network environment

8.1. The sssctl command

sssctl is a command-line tool that provides a unified way to obtain information about the Security System Services Daemon (SSSD) status.

You can use the sssctl utility to gather information about:

  • Domain state
  • Client user authentication
  • User access on clients of a particular domain
  • Information about cached content

With the sssctl tool, you can:

  • Manage the SSSD cache
  • Manage logs
  • Check configuration files
Note

The sssctl tool replaces sss_cache and sss_debuglevel tools.

Additional resources

  • sssctl --help

8.2. Generating access control reports using sssctl

You can list the access control rules applied to the machine on which you are running the report because SSSD controls which users can log in to the client.

Note

The access report is not accurate because the tool does not track users locked out by the Key Distribution Center (KDC).

Prerequisites

  • You must be logged in with administrator privileges.

Procedure

  • To generate an access control report, run the following command, replacing <domain_name>: 

    [root@client1 ~]# sssctl access-report <domain_name>
1 rule cached

Rule name: example.user
	Member users: example.user
	Member services: sshd

8.3. Displaying user authorization details using sssctl

Use the sssctl user-checks command to troubleshoot authentication and authorization issues in applications that rely on the System Security Services Daemon (SSSD).

Run sssctl user-checks <user_name> to display user data available from Name Service Switch (NSS) and the InfoPipe responder for the D-Bus interface. The output shows whether the user is authorized to log in using the system-auth Pluggable Authentication Module (PAM) service.

The command has two options:

  • -a for a PAM action
  • -s for a PAM service

If you do not specify -a and -s options, the sssctl tool uses default options: -a acct -s system-auth.

Prerequisites

  • You must be logged in with administrator privileges.

Procedure

  • To display user data for a particular user, enter: 

    [root@client1 ~]# sssctl user-checks -a acct -s sshd <user_name>
user: example.user
action: acct
service: sshd
....

Additional resources

  • sssctl user-checks --help
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.