Linux SSSD
Status: Scaffold — content in progress
SSSD (System Security Services Daemon) connects Linux/Unix machines to directory services — primarily Active Directory. It handles Kerberos authentication, LDAP-based user/group lookups, and caches credentials for offline use.
Components
sssd ──── LDAP provider (user/group lookup from AD)
└── Kerberos provider (authentication via KDC)
└── Local cache (offline login)
AD-Joined Linux Machine
When a Linux machine is joined to AD via realm join or adcli:
- Machine account created in AD
/etc/krb5.confconfigured for the domain/etc/sssd/sssd.confconfigures domain connectivity- PAM configured to use
pam_sss
Security Considerations
- Credential cache (
.ccachefiles in/tmp/) — Kerberos TGTs stored here KRB5CCNAMEenvironment variable points to cache location- Over-privileged AD groups synced to Linux
sudoaccess
Cross-Links
| Topic | Link |
|---|---|
| Linux PAM | linux-pam |
| Linux Kerberos | linux-kerberos |