getent passwd -s sss LOCALUSER shows local user
tl;dr
I want to easily and quickly tell if a user is local or domain (don't care which domain).
Environment
- freeipa-client-4.6.1-3.fc27.x86_64
- sssd-1.16.0-4.fc27.x86_64
Full story
I am writing a userinfo.sh script that will show if a user is local, sssd, can
ssh, and is permitted by sssd. Currently I am doing the check for if the user
is from the domain with the getent passwd -s sss $USERNAME command. But I
ran into an issue where checking the sssd database returns a local user!
# getent passwd -s sss 'bgstack15-local'
bgstack15-local:x:1000:1000:bgstack15-local:/home/bgstack15-local:/bin/bash
Checking the contents of the database (cache) for sss shows sssd apparently caches all sorts of information about the local user.
# sudo su root -c 'strings /var/lib/sss/db/* | grep bgstack15-local' | sort | uniq
name=bgstack15-local@implicit_files,cn=groups,cn=ih
name=bgstack15-local@implicit_files,cn=groups,cn=implicit_files,cn=sysdb
name=bgstack15-local@implicit_files,cn=users,cn=implicit_files,cn=sysdb
[...output truncated]
I tried clearing the sssd cache overall, and just for the user. Neither made a difference.
# sss_cache -U
# sss_cache -u bgstack15-local
The user does show up as a local user, and I promise it is only a local user!
getent passwd -s files 'bgstack15-local'
bgstack15-local:x:1000:1000:bgstack15-local:/home/bgstack15-local:/bin/bash
The man pages for getent(1) and getpwent(3) don't help me understand what could be going on. sssd(8) shows me that sssd can cache local users, which actually goes against what I want! The nss section of sssd.conf(5) doesn't help, but maybe I didn't take enough time to read it. I'm a little stuck. My sssd.conf
[domain/ipa.example.com]
id_provider = ipa
ipa_server = _srv_, dns1.ipa.example.com
ipa_domain = ipa.example.com
ipa_hostname = fc27c-01a.ipa.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo
domains = ipa.example.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
Last resort
I can try doing my checks against ${USERNAME}@${DOMAIN} when doing the -s
sss check, but that means I then have to iterate over all domains in
sssd.conf and that would slow the process down.
Answer
The option that controls this behavior is buried in sssd.conf(5) on CentOS 7 and Fedora, but not in the online man page. sssd.conf
[sssd]
enable_files_domain = false
Reference 3 shows that sssd makes a "fast cache for local users." From man sssd.conf(5) on my Fedora system:
enable_files_domain (boolean) When this option is enabled, SSSD prepends an implicit domainwith “id_provider=files” before any explicitly configured domains.
Default: true
Disabling this behavior lets me make a simple check to see if it is a local user or domain user.
Comments