getent passwd <USER> -> checking data in /var/lib/sss/mc/passwd
getent passwd | grep <USER> -> checking data in /var/lib/sss/pipes/nss
sss
[!NOTE|label:references]
# sss_override
$ sudo dnf install -y sssd-tools
references:
sssd
rhel
pam
sss_override management
$ sudo dnf install -y sssd-tools
check user
$ sudo sssctl user-checks <username>
user: marslo
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: marslo
- user id: 33637
- group id: 40048
- gecos: Marslo Jiao (Marslo Jiao)
- home directory: /home/marslo
- shell: /bin/bash
InfoPipe operation failed. Check that SSSD is running and the InfoPipe responder is enabled. Make sure 'ifp' is listed in the 'services' option in sssd.conf.InfoPipe User lookup with [marslo] failed.
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
# or
$ getent passwd -s sss marslo
# clear the cache and update all records
$ sudo /usr/sbin/sss_cache [-E|--everything]
# clear invalidates cache entries for all user records
$ sudo /usr/sbin/sss_cache [-U|--users]
# clear all cached entries for a particular domain
$ sudo /usr/sbin/sss_cache [-E|--everything] [-d|--domain] <ldap_name>
# purge the records for that specific account and leave the rest of the cache intact
$ sudo /usr/sbin/sss_cache [-u|--user] <username>
# invalidates the cache entry for the specified group
$ sudo /usr/sbin/sss_cache [-g|--group] <groupname>
login to root to execute the following commands; or use any sudo local account, otherwise the sssd account will be unavailable when sssd service is stopped !
# login to root or any sudo local account
$ sudo su -
# clean cache
$ sudo /usr/sbin/sss_cache -u devops
$ sudo /usr/sbin/sss_cache -E
$ sudo systemctl restart sssd
# stop sssd service and remove /var/lib/sss/mc/passwd
$ sudo systemctl stop sssd.service
$ sudo mv /var/lib/sss/mc/passwd{,.bak}
# create local user
$ sudo useradd -m -d '/home/devops' -u 1001 -g devops -s /bin/bash devops
$ id devops
uid=1001(devops) gid=1001(devops) groups=1001(devops)
# start sssd service
$ sudo systemctl start sssd.service
After this in /etc/sssd/sssd.conf file Specify ldap_default_bind_dn and ldap_default_authtok as default bind dn and password respectively, this depends upon your ldap setup.
sudo: unable to load /usr/lib/x86_64-linux-gnu/libsss_sudo.so: /usr/lib/x86_64-linux-gnu/libsss_sudo.so: cannot open shared object file: No such file or directory
sudo: unable to initialize SSS source. Is SSSD installed on your machine?
$ sudo apt install libsss-sudo
local
user
subuid & subgid
[!NOTE|label:references:]
check subuid and subgid from /etc/subuid and /etc/subgid
$ chage -l marslo
Last password change : Mar 09, 2022
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7