The Identity Stack, Episode 4
EP01: What Is LDAP → EP02: LDAP Internals → EP03: LDAP Auth on Linux → EP04 → EP05: Kerberos → …
Focus Keyphrase: SSSD Linux
Search Intent: Informational
Meta Description: SSSD powers every enterprise Linux login — but most engineers only interact with it when it breaks. Here’s the architecture, the config knobs that matter, and how to debug it. (185 chars — trim to: SSSD powers every enterprise Linux login. Here’s the architecture, the sssd.conf knobs that matter, and how to debug it when it breaks. (137 chars))
Meta Description (final): SSSD powers every enterprise Linux login. Here’s the architecture, the sssd.conf knobs that matter, and how to debug it when it breaks. (137 chars)
TL;DR
- SSSD (System Security Services Daemon) is the caching and brokering layer between Linux and directory services — it handles LDAP, Kerberos, and AD so PAM and NSS don’t have to
- Architecture: three tiers — responders (answer PAM/NSS queries), providers (talk to AD/LDAP/Kerberos), and a shared cache (LDB database on disk)
- Credential caching means offline logins work — a user who authenticated yesterday can log in today even if the domain controller is unreachable
- Key config:
sssd.conf— the[domain]section is where almost all tuning happens - Debugging toolkit:
sssctl,sss_cache,id,getent,journalctl -u sssd - The most common failure modes are: SSSD not running, stale cache, misconfigured
ldap_search_base, and clock skew breaking Kerberos
The Big Picture: SSSD as the Identity Broker
PAM (pam_sss) NSS (sss module)
│ │
└──────────┬───────────┘
▼
SSSD Responders
┌────────────────────────────────────┐
│ PAM responder NSS responder │
│ (auth, account, (passwd, group, │
│ session) shadow lookups) │
└────────────┬───────────────────────┘
│ shared cache (LDB)
▼
SSSD Providers
┌────────────────────────────────────┐
│ identity provider auth provider │
│ (user/group attrs) (credentials) │
└────────────┬───────────────────────┘
│
┌────────────┼────────────┐
▼ ▼ ▼
LDAP Kerberos Local files
(AD / OpenLDAP) (KDC / AD)
EP03 showed that SSSD sits between PAM and LDAP. This episode goes inside it — the architecture, the config, and how to tell exactly what it’s doing on any given login attempt.
Why SSSD Exists
The problem before SSSD: nss_ldap and pam_ldap made direct LDAP connections for every query. No caching, no connection pooling, no failover, no offline support. On a system that makes dozens of getpwuid() calls per second (every ls -l, every process spawn), this meant dozens of LDAP roundtrips per second hitting the domain controller.
SSSD solved this with a single daemon that:
– Maintains a persistent connection pool to the directory
– Caches identity and credential data in an LDB (LDAP-like) database on disk
– Handles failover across multiple directory servers
– Satisfies PAM and NSS queries from cache when the directory is unreachable
The credential cache is the key insight. When you authenticate successfully, SSSD stores a hash of your credentials locally. If the domain controller is unreachable on your next login — network outage, laptop offline, VPN not connected — SSSD can verify your credentials against the local cache. You log in. You never knew the DC was down.
SSSD Architecture
SSSD is a set of cooperating processes sharing a cache:
Monitor — the parent process. Starts and restarts all other SSSD processes. If a responder or provider crashes, the monitor restarts it.
Responders — answer queries from PAM and NSS. Each responder handles a specific interface:
– sssd_nss — answers getpwnam(), getpwuid(), getgrnam(), initgroups() calls
– sssd_pam — handles PAM authentication, account checks, and session management
– sssd_autofs, sssd_ssh, sssd_sudo — optional responders for specific services
Providers — the backend processes that talk to the actual directory:
– Each domain gets its own provider process (sssd_be[domain_name])
– The provider connects to LDAP/Kerberos/AD, fetches data, and writes it to the shared cache
– If the provider crashes or loses connectivity, responders fall back to serving from cache
Cache — LDB files in /var/lib/sss/db/. One database per configured domain, plus a cache for negative results (lookups that returned “not found”). The cache is an LDAP-like directory stored on disk — SSSD uses the same hierarchical structure for local storage as the remote directory uses.
# See the cache files
ls -la /var/lib/sss/db/
# cache_corp.com.ldb ← user/group data for domain corp.com
# ccache_corp.com ← Kerberos credential cache
# timestamps_corp.com.ldb ← when entries were last refreshed
sssd.conf: The Config That Matters
/etc/sssd/sssd.conf has a [sssd] section (global) and one [domain/name] section per directory. The domain section is where almost all tuning happens.
[sssd]
services = nss, pam, sudo
domains = corp.com
config_file_version = 2
[domain/corp.com]
# What type of directory this is
id_provider = ad # or: ldap, ipa, files
auth_provider = ad # or: ldap, krb5, none
access_provider = ad # controls who can log in
# The AD/LDAP server (can be a list for failover)
ad_domain = corp.com
ad_server = dc01.corp.com, dc02.corp.com
# Where to look for users and groups
ldap_search_base = dc=corp,dc=com
# Cache behavior
cache_credentials = true # enable offline login
entry_cache_timeout = 5400 # how long before re-querying (seconds)
offline_credentials_expiration = 1 # days cached credentials stay valid offline
# What uid/gid range belongs to this domain (prevents UID conflicts)
ldap_id_mapping = true # auto-map AD SIDs to UIDs (no uidNumber needed)
# OR for classical POSIX LDAP:
# ldap_id_mapping = false # use uidNumber/gidNumber from directory
# Restrict logins to specific AD groups
# access_provider = simple
# simple_allow_groups = linux-admins, sre-team
# Home directory and shell defaults
override_homedir = /home/%u
default_shell = /bin/bash
fallback_homedir = /home/%u
# Enumerate all users (expensive on large dirs — disable unless needed)
enumerate = false
The two most commonly wrong settings:
ldap_search_base — if this doesn’t include the OU where your users live, SSSD won’t find them. On AD, the default searches the entire domain, which is usually correct. On OpenLDAP, you may need ou=people,dc=corp,dc=com.
ldap_id_mapping — on AD, users typically don’t have uidNumber attributes. Setting ldap_id_mapping = true tells SSSD to derive a UID from the user’s SID algorithmically. This produces consistent UIDs across machines. Setting it to false requires actual uidNumber attributes in the directory.
Credential Caching and Offline Logins
The cache is what separates SSSD from a simple proxy. When cache_credentials = true:
- On successful authentication, SSSD stores a hash of the credential in the LDB cache
- On the next authentication attempt, SSSD first tries the domain controller
- If the DC is unreachable, SSSD falls back to the local credential hash
- If the hash matches, login succeeds — even with no network
The credential hash is not the cleartext password — it’s a salted hash stored in /var/lib/sss/db/cache_corp.com.ldb. The security model is the same as /etc/shadow: someone with root access to the machine can access the hashes.
offline_credentials_expiration controls how long cached credentials stay valid when the DC is unreachable. 0 means forever (not recommended for high-security environments). 1 means one day — after 24 hours offline, even cached credentials expire and the user must authenticate online.
The Debugging Toolkit
# 1. Is SSSD running?
systemctl status sssd
pgrep -a sssd # shows all SSSD processes (monitor + responders + providers)
# 2. Domain connectivity status
sssctl domain-status corp.com
# Domain: corp.com
# Active servers:
# LDAP: dc01.corp.com
# KDC: dc01.corp.com
# Discovered servers:
# LDAP: dc01.corp.com, dc02.corp.com
# 3. Can SSSD find a specific user?
sssctl user-checks vamshi
# user: vamshi
# user name: [email protected]
# POSIX attributes: UID=1001, GID=1001, ...
# Authentication: success (uses actual PAM auth stack)
# 4. What does NSS see?
getent passwd vamshi # full passwd entry
id vamshi # uid, gid, groups
# 5. Flush stale cache entries
sss_cache -u vamshi # invalidate one user
sss_cache -G engineers # invalidate one group
sss_cache -E # invalidate everything (nuclear option)
# 6. Live logs
journalctl -u sssd -f # tail all SSSD logs
# Then attempt login in another terminal — watch the auth flow in real time
# 7. Increase log verbosity temporarily
sssctl config-check # validate sssd.conf syntax
# Edit sssd.conf: add debug_level = 6 under [domain/corp.com]
systemctl restart sssd
journalctl -u sssd -f # now shows LDAP queries, cache hits/misses
The single most useful command is sssctl user-checks <username>. It runs the full NSS + PAM auth stack internally and prints what SSSD would do on a real login — without creating a session or touching the running system.
Breaking SSSD (and What Each Failure Looks Like)
SSSD not running:
ssh vamshi@server
# Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
# getent passwd vamshi → (empty)
# Fix: systemctl start sssd
Stale cache after AD password change:
# User changed password in AD but SSSD still has old credential hash
ssh vamshi@server # password accepted (wrong!) — cache hit with old hash
# Fix: sss_cache -u vamshi, then attempt login again
Clock skew > 5 minutes (breaks Kerberos):
journalctl -u sssd | grep -i "clock skew\|KDC\|kinit"
# sssd_be[corp.com]: Kerberos authentication failed: Clock skew too great
# Fix: systemctl restart chronyd (or ntpd), verify time sync
ldap_search_base wrong:
getent passwd vamshi # empty, but user exists in AD
sssctl user-checks vamshi # "User not found"
# Check: ldap_search_base must include the OU containing users
# Test: ldapsearch -x -H ldap://dc -b "ou=engineers,dc=corp,dc=com" "(uid=vamshi)"
⚠ Common Misconceptions
“Restarting SSSD logs everyone out.” Restarting SSSD doesn’t affect existing authenticated sessions. Active shell sessions, running processes — all unaffected. Only new authentication attempts are disrupted during the restart window, which takes a few seconds.
“sss_cache -E fixes everything.” Flushing the entire cache forces SSSD to re-fetch all entries from the domain controller on the next lookup. On a system with many users or enumeration enabled, this can cause a brief spike in LDAP traffic and slow lookups. Use targeted flushes (-u username, -G group) when possible.
“debug_level should always be high.” SSSD at debug_level = 9 logs every LDAP packet. On a production system with active logins, this generates gigabytes of logs quickly. Set it temporarily for debugging, then remove it and restart.
Framework Alignment
| Domain | Relevance |
|---|---|
| CISSP Domain 5: Identity and Access Management | SSSD is the runtime implementation of enterprise identity integration on Linux — understanding its caching model, failover behavior, and credential storage is foundational to IAM operations |
| CISSP Domain 3: Security Architecture and Engineering | The credential cache design (/var/lib/sss/db/) creates a local credential store with specific security properties — architects need to understand the offline login trade-off |
| CISSP Domain 7: Security Operations | SSSD is a critical security service — monitoring it, understanding its failure modes, and knowing how to recover it quickly are operational security skills |
Key Takeaways
- SSSD is a three-tier system: responders (serve PAM/NSS), providers (talk to AD/LDAP), and a shared LDB cache — each tier is independently restartable
- Credential caching enables offline logins — the security trade-off is a local hash store in
/var/lib/sss/db/ sssctl user-checksis the first tool to reach for when a login fails — it simulates the full auth flow and shows exactly where it breaksldap_id_mapping = trueis the right choice for AD environments without POSIX attributes;falserequires actualuidNumber/gidNumberin the directory- Clock skew over 5 minutes silently breaks Kerberos authentication — time sync is a hard dependency
What’s Next
EP04 showed SSSD’s role as the caching and brokering layer. What it referenced repeatedly — “Kerberos ticket”, “KDC”, “GSSAPI” — is the authentication protocol that sits underneath AD-joined Linux logins. SSSD uses Kerberos to authenticate. LDAP carries the identity data. EP05 explains how Kerberos works.
Next: How Kerberos Works: Tickets, KDC, and Why Enterprises Use It With LDAP
Get EP05 in your inbox when it publishes → linuxcent.com/subscribe