SSSD

From ArchWiki

Related articles

SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.

Installation

Install the sssd package.

Configuration

LDAP

See LDAP authentication#SSSD configuration.

PAM proxy

If you would like software running as a non-root user to be able to use pam_unix.so for authentication, you can run SSSD as a PAM proxy for this by creating the following files. 

/etc/sssd/sssd.conf
[sssd]
services = pam
domains = local

[domain/local]
id_provider = proxy
proxy_lib_name = files
proxy_pam_target = sssd-shadowutils
/etc/pam.d/sssd
#%PAM-1.0

auth      required  pam_sss.so
account   required  pam_sss.so
password  required  pam_sss.so
session   required  pam_sss.so

Now specify sssd as the PAM service name in your software's configuration.

Run SSSD as root

SSSD 2.10 and above runs as a non-root user by default, but here it needs to run as root in order to access /etc/shadow. Override the unit sssd.service: 

[Service]
ExecStartPre=
User=root
Group=root
SupplementaryGroups=sssd

Note that SSSD wants its files like /var/log/sssd to have the same owner as the user running SSSD, so you may need to chown those files to be root-owned. Additionally, delete and add /usr/lib/tmpfiles.d/sssd-perms.conf to NoExtract in /etc/pacman.conf to prevent systemd-tmpfiles from reverting the permissions of SSSD files.

Finally, enable/start sssd.service.

Tips and tricks

Prevent logins with empty passwords

If using SSSD as a PAM proxy, by default it allows logging into accounts with empty passwords, which could be undesirable. To fix this, remove nullok from /etc/pam.d/sssd-shadowutils: 

/etc/pam.d/sssd-shadowutils
#%PAM-1.0
auth        [success=done ignore=ignore default=die] pam_unix.so try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_permit.so

Then add that file to NoUpgrade in /etc/pacman.conf.

See also