5

tl;dr

I want to easily and quickly tell if a user is local or domain (don't care which domain).

Environment

  • freeipa-client-4.6.1-3.fc27.x86_64
  • sssd-1.16.0-4.fc27.x86_64

Full story

I am writing a userinfo.sh script that will show if a user is local, sssd, can ssh, and is permitted by sssd.

Currently I am doing the check for if the user is from the domain with the getent passwd -s sss $USERNAME command. But I ran into an issue where checking the sssd database returns a local user!

# getent passwd -s sss 'bgstack15-local' bgstack15-local:x:1000:1000:bgstack15-local:/home/bgstack15-local:/bin/bash

Checking the contents of the database (cache) for sss shows sssd apparently caches all sorts of information about the local user.

# sudo su root -c 'strings /var/lib/sss/db/* | grep bgstack15-local' | sort | uniq name=bgstack15-local@implicit_files,cn=groups,cn=ih name=bgstack15-local@implicit_files,cn=groups,cn=implicit_files,cn=sysdb name=bgstack15-local@implicit_files,cn=users,cn=implicit_files,cn=sysdb [...output truncated]

I tried clearing the sssd cache overall, and just for the user. Neither made a difference.

# sss_cache -U # sss_cache -u bgstack15-local

The user does show up as a local user, and I promise it is only a local user!

getent passwd -s files 'bgstack15-local' bgstack15-local:x:1000:1000:bgstack15-local:/home/bgstack15-local:/bin/bash

The man pages for getent(1) and getpwent(3) don't help me understand what could be going on. sssd(8) shows me that sssd can cache local users, which actually goes against what I want! The nss section of sssd.conf(5) doesn't help, but maybe I didn't take enough time to read it. I'm a little stuck.

My sssd.conf

[domain/ipa.example.com] id_provider = ipa ipa_server = _srv_, dns1.ipa.example.com ipa_domain = ipa.example.com ipa_hostname = fc27c-01a.ipa.example.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True [sssd] services = nss, pam, ssh, sudo domains = ipa.example.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording]

Last resort

I can try doing my checks against ${USERNAME}@${DOMAIN} when doing the -s sss check, but that means I then have to iterate over all domains in sssd.conf and that would slow the process down.

Improve this question

1 Answer 1

Reset to default
4

The option that controls this behavior is buried in sssd.conf(5) on CentOS 7 and Fedora, but not in the online man page.

sssd.conf

[sssd] enable_files_domain = false

Reference 3 shows that sssd makes a "fast cache for local users."

From man sssd.conf(5) on my Fedora system:

 enable_files_domain (boolean) When this option is enabled, SSSD prepends an implicit domain with “id_provider=files” before any explicitly configured domains. Default: true

Disabling this behavior lets me make a simple check to see if it is a local user or domain user.

References

  1. ddg: sssd disable caching local users
  2. https://bugzilla.redhat.com/show_bug.cgi?id=1357418
  3. https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers
  4. Fedora 27 sssd.conf(5)
  5. https://bgstack15.wordpress.com/2018/02/23/getent-passwd-s-sss-localuser-shows-local-user/
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.