Introduction to network user authentication with SSSD

The System Security Services Daemon (SSSD) is actually a collection of daemons that handle authentication, authorisation, and user and group information from a variety of network sources. It’s a useful tool for administrators of Linux and UNIX-based systems, particularly in enterprise systems which may need to integrate with other directory, access control and authentication services.

Common deployment scenarios

At its core, SSSD has support for a variety of authorisation and identity services, such as Active Directory, LDAP, and Kerberos. See the following guides to discover how to set up SSSD with…

Integration with PAM and NSS

SSSD provides Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) modules to integrate these remote sources into your system. This allows remote users to login and be recognised as valid users, including group membership. To allow for disconnected operation, SSSD also can also cache this information, so that users can continue to login in the event of a network failure, or other problems of the same sort.


If you have problems with your SSSD setup, you can use some of the tips contained in our SSSD troubleshooting guide to discover the cause.

1 Like

I have had to add this to my /etc/sssd/sssd.conf file to get supplementary groups to return from Active Directory:

ldap_use_tokengroups = false

I guess it depends on the version of the AD server. The sssd-ldap manpage says:

This options enables or disables use of Token-Groups attribute when performing
initgroup for users from Active Directory Server 2008 and later.

Default: True for AD and IPA otherwise False.