All,
In the comments in /etc/nsswitch.conf file, it says:
# Notes: # # 'sssd' performs its own 'files'-based caching, so it should generally # come before 'files'. #
and then later:
# In order of likelihood of use to accelerate lookup. passwd: sss files systemd shadow: files group: sss files systemd
However, we have consulted with Redhat Tech Support years ago when we first started implementing sssd and they advised us to put in local providers first, then remote.
So we typically do this:
passwd: files systemd sss ... group: files systemd sss
Which is correct?
Spike
I'm fairly certain that the order in nsswitch orders the data cached by sssd. So files first for fastest locate then sss last for local cache then actual lookup over the wire. It's a first-find process.
So both are correct. Files first AND sssd caches all of it in the order from nsswitch.
On Tue, Feb 4, 2025, 3:45 PM Spike White via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
All,
In the comments in /etc/nsswitch.conf file, it says:
# Notes: # # 'sssd' performs its own 'files'-based caching, so it should generally # come before 'files'. #
and then later:
# In order of likelihood of use to accelerate lookup. passwd: sss files systemd shadow: files group: sss files systemd
However, we have consulted with Redhat Tech Support years ago when we first started implementing sssd and they advised us to put in local providers first, then remote.
So we typically do this:
passwd: files systemd sss ... group: files systemd sss
Which is correct?
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
On Tue, Feb 4, 2025 at 9:07 PM Spike White via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
All,
In the comments in /etc/nsswitch.conf file, it says:
# Notes: # # 'sssd' performs its own 'files'-based caching, so it should generally # come before 'files'. #
and then later:
# In order of likelihood of use to accelerate lookup. passwd: sss files systemd shadow: files group: sss files systemd
However, we have consulted with Redhat Tech Support years ago when we first started implementing sssd and they advised us to put in local providers first, then remote.
So we typically do this:
passwd: files systemd sss ... group: files systemd sss
Which is correct?
tl,dr: in general I agree with the recommendation to keep 'files' before 'sss'.
Longer/precise answer depends on the OS/version being used. On more recent versions 'authselect' should do the right thing "out of the box".
Alexey,
Thanks. We don't use authselect because we're very familiar with PAM stacks and we have a highly customized PAM stack.
Spike
On Wed, Feb 5, 2025 at 1:47 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
On Tue, Feb 4, 2025 at 9:07 PM Spike White via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
All,
In the comments in /etc/nsswitch.conf file, it says:
# Notes: # # 'sssd' performs its own 'files'-based caching, so it should generally # come before 'files'. #
and then later:
# In order of likelihood of use to accelerate lookup. passwd: sss files systemd shadow: files group: sss files systemd
However, we have consulted with Redhat Tech Support years ago when we first started implementing sssd and they advised us to put in local providers first, then remote.
So we typically do this:
passwd: files systemd sss ... group: files systemd sss
Which is correct?
tl,dr: in general I agree with the recommendation to keep 'files' before 'sss'.
Longer/precise answer depends on the OS/version being used. On more recent versions 'authselect' should do the right thing "out of the box".
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Jim Kinney -
Spike White