sssd/LDAP + "+name"-entry in /etc/passwd?

Hi *,

many, many moons ago, we were able to override user account settings (i.e. home dir and/or shell) from an LDAP-based back-end by adding a “plus entry” to /etc/passwd, i.e.

+someuser::::::/bin/ksh

I tried this today on an Opensuse Leap 42.2 system that is configured to use sssd (with LDAP back-end) but failed: “getent passwd someuser” always reported the values from LDAP.

/etc/nsswitch.conf has “passwd: compat sss”, nscd is not active on that system.

Is this feature unavailable with sssd or do I need to change some configuration for this to work?

Regards,
J

Hi *,

sorry for replying to my own thread, but after some search I found the answer to my question on my own:

The “+name”-overrides in /etc/passwd do catch once /etc/nsswitch.conf is set to


passwd: compat
passwd_compat: sss

Now setting i.e. the following entry in /etc/passwd


+someuser:::::/home.local/someuser:

will, if the user named “someuser” is resolvable by sssd, make that user use /home.local/someuser as the home directory, no matter what directory is set in the back-end that sssd uses for resolution of the user’s entry.

Regards,
J

jmozdzen,

Perhaps I can help even though you’ve managed a solution.

First, the compat setting. This was implemented alongside glibc/nsswitch mechanisms to include ldap account resolution on systems.

passwd: compat
group: compat

passwd_compat: ldap
group_compat: ldap

These directives implemented this way in the /etc/nsswitch.conf allow the glibc library to evaluate the local database and the ldap database for users and groups. The getent command should return both sets of users.

Using this format, you are correct in the method to omit remote users from resolution using the following format in the /etc/passwd or /etc/group references:

+:x:x:x:x:x:x in and +:x:x: respectively

Equally you should be able to say:

passwd: compat ldap
group: compat ldap

If you cannot do so now using the second example I would suspect a library change or update may be responsible, but this is just a guess.

Regardless I suspect that whether you are using pam_ldap or pam_sss there is an underlying system configuration issue. In short local user resolution should override remote user resolution as a default. How either module was implemented may be the issue. Specifically if the files in the /etc/pam.d directory were modified manually, using the pam-config utility or with YaST.

A working example for the pam_sss module that exibits the described behaviour:

/etc/pam.d/common-account

account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass

/etc/pam.d/common-password

password requisite pam_cracklib.so
password optional pam_gnome_keyring.so use_authtok
password sufficient pam_unix.so use_authtok nullok shadow try_first_pass
password required pam_sss.so use_authtok

/etc/nsswitch.conf

passwd: compat sss

All of that said there is a way to manage the attributes returned by an SSSD resolved user in more recent versions of the daemon (SLES 12 SP1 and above) if the “sssd-tools” package is installed and caching is enabled (recommended). The sssd-tools package is a collection of CLI utilities used to manage the daemon behavior and information stores. Among others it contains a application called “sss_override” that can be used to override the attribute values (uidNumber, gidNumber, homeDirectory, loginShell, gecos) returned for users and groups from LDAP, AD and IPA servers for the local system.

~# sss_override COMMAND [options]

~# sss_override user-add <user> -s /bin/ksh

The first time you add a user or group override you will need to restart the daemon and overrides are persistant in the cache. If the cache is deleted, the overrides go with it.

Hoping it helps,

– lawrence