13.2.5. Configuring Services: NSS

SSSD provides an NSS module, sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.

About NSS Service Maps and SSSD

The Name Service Switch (NSS) provides a central configuration for services to look up a number of configuration and name resolution services. NSS provides one method of mapping system identities and services with configuration sources.

SSSD works with NSS as a provider services for several types of NSS maps:

Passwords (passwd)
User groups (shadow)
Groups (groups)
Netgroups (netgroups)
Services (services)

Procedure 13.1. Configuring NSS Services to Use SSSD

NSS can use multiple identity and configuration providers for any and all of its service maps. The default is to use system files for services; for SSSD to be included, the nss_sss module has to be included for the desired service type.

Use the Authentication Configuration tool to enable SSSD. This automatically configured the nsswitch.conf file to use SSSD as a provider.
```
authconfig --enablesssd --update
```
```
~]# authconfig --enablesssd --update
```
Copy to Clipboard Toggle word wrap
This automatically configures the password, shadow, group, and netgroups services maps to use the SSSD module:
```
passwd:     files sss
shadow:     files sss
group:      files sss

netgroup:   files sss
```
```
passwd:     files sss
shadow:     files sss
group:      files sss

netgroup:   files sss
```
Copy to Clipboard Toggle word wrap
The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:
```
vim /etc/nsswitch.conf
```
```
~]# vim /etc/nsswitch.conf

...
services: file sss
...
```
Copy to Clipboard Toggle word wrap

Procedure 13.2. Configuring SSSD to Work with NSS

The options and configuration that SSSD uses to service NSS requests are configured in the SSSD configuration file, in the [nss] services section.

Open the sssd.conf file.
```
vim /etc/sssd/sssd.conf
```
```
~]# vim /etc/sssd/sssd.conf
```
Copy to Clipboard Toggle word wrap

Make sure that NSS is listed as one of the services that works with SSSD.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam

Copy to Clipboard

Toggle word wrap

In the [nss] section, change any of the NSS parameters. These are listed in Table 13.2, “SSSD [nss] Configuration Parameters”.

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

Copy to Clipboard

Toggle word wrap

Restart SSSD.
```
service sssd restart
```
```
~]# service sssd restart
```
Copy to Clipboard Toggle word wrap

Expand

Table 13.2. SSSD [nss] Configuration Parameters
Parameter	Value Format	Description
entry_cache_nowait_percentage	integer	Specifies how long `sssd_nss` should return cached entries before refreshing the cache. Setting this to zero (`0`) disables the entry cache refresh. This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval. The allowed values for this option are 0 to 99, which sets the percentage based on the `entry_cache_timeout` value. The default value is 50%.
entry_negative_timeout	integer	Specifies how long, in seconds, `sssd_nss` should cache negative cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries.
filter_users, filter_groups	string	Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as `root`.
filter_users_in_groups	Boolean	Sets whether users listed in the `filter_users` list appear in group memberships when performing group lookups. If set to `FALSE`, group lookups return all users that are members of that group. If not specified, this value defaults to `true`, which filters the group member lists.
debug_level	integer, 0 - 9	Sets a debug logging level.

NSS Compatibility Mode

NSS compatibility (compat) mode provides the support for additional entries in the /etc/passwd file to ensure that users or members of netgroups have access to the system.

To enable NSS compatibility mode to work with SSSD, add the following entries to the /etc/nsswitch.conf file:

passwd: compat
passwd_compat: sss

passwd: compat
passwd_compat: sss

Copy to Clipboard

Toggle word wrap

Once NSS compatibility mode is enabled, the following passwd entries are supported:

+user -user
Include (+) or exclude (-) a specified user from the Network Information System (NIS) map.
+@netgroup -@netgroup
Include (+) or exclude (-) all users in the given netgroup from the NIS map.
+
Exclude all users, except previously excluded ones from the NIS map.

For more information about NSS compatibility mode, see the nsswitch.conf(5) manual page.

返回顶部

此内容没有您所选择的语言版本。

13.2.5. Configuring Services: NSS

About NSS Service Maps and SSSD

NSS Compatibility Mode

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links