Network User Authentication with SSSD

SSSD stands for System Security Services Daemon and it’s actually a collection of daemons that handle authentication, authorization, and user and group information from a variety of network sources. At its core it has support for:

  • Active Directory
  • LDAP
  • Kerberos

SSSD provides PAM and NSS modules to integrate these remote sources into your system and allow remote users to login and be recognized as valid users, including group membership. To allow for disconnected operation, SSSD also can also cache this information, so that users can continue to login in the event of a network failure, or other problem of the same sort.

This guide will focus on the most common scenarios where SSSD is deployed.

References

1 Like

I have had to add this to my /etc/sssd/sssd.conf file to get supplementary groups to return from Active Directory:

ldap_use_tokengroups = false

I guess it depends on the version of the AD server. The sssd-ldap manpage says:

ldap_use_tokengroups
This options enables or disables use of Token-Groups attribute when performing
initgroup for users from Active Directory Server 2008 and later.

Default: True for AD and IPA otherwise False.