Configuring the NSS Service

SSSD provides an NSS module, sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.

To configure the NSS service:

# vim /etc/sssd/sssd.conf

• Make sure that NSS is listed as one of the services that works with SSSD.

  [sssd]
  config_file_version = 2
  reconnection_retries = 3
  sbus_timeout = 30
  services = nss, pam

• In the [nss] section, change any of the NSS parameters. These are listed in Table 28.1, "SSSD [nss] Configuration Parameters".

  [nss]
  filter_groups = root
  filter_users = root
  reconnection_retries = 3
  entry_cache_timeout = 300
  entry_cache_nowait_percentage = 75

• Restart SSSD.

  service sssd restart

  Table 28.1. SSSD [nss] Configuration Parameters

  The allowed values for this option are 0 to 99, which sets the percentage based on the entry_cache_timeout value. The default value is 50%.

  Parameter	Value Format	Description
  enum_cache_timeout	integer	Specifies how long, in seconds, sssd_nss should cache requests for information about all users (enumerations).
  entry_cache_nowait_percentage	integer	Specifies how long sssd_nss should return cached entries before refreshing the cache. Setting this to zero (0) disables the entry cache refresh. This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds - 75% of the interval.
  entry_negative_timeout	integer	Specifies how long, in seconds, sssd_nss should cache negative cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries.
  filter_users, filter_groups	string	Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as root.
  filter_users_in_groups	Boolean	Sets whether users listed in the filter_users list appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, this value defaults to TRUE, which filters the group member lists.