I have a problem with my LDAP configuration on SUSE Linux Enterprise Server 12. As many of you know, the ldap.conf file has been replaced with sssd.conf and a couple of other conf files like nsswitch.conf. I want to have authentication through LDAP, picking users from a specific OU. I also need to get the definition for sudoers through LDAP. I have never worked with sssd before. My current NSS configuration looks as follows: passwd: files ldap shadow: files ldap group: files ldap hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files passwd_compat: files group_compat: files sudoers: ldap files [I added this line] And here is my sssd.conf: [sssd] config_file_version = 2 services = nss, pam domains = ***** sbus_timeout = 30 [nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] [domain/GuH] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_user_object_class = posixAccount debug_level = 20 #access_provider = ldap ldap_uri = ldap://******.de ldap_search_base = o=*** create_homedir = truei ldap_tls_cacert = /etc/sssd/certs/*******.pem ldap_tls_cacertdir = /etc/sssd/certs ldap_id_use_start_tls = true ldap_default_bind_dn = cn=********,o=guh ldap_default_authtok_type = ******* ldap_default_authtok = ********* ldap_user_member_of = ********* ldap_group_name = cn=*******,ou=*******,ou=******,o=****** Just assume the * are put in correctly. Also, is there anything to do in a PAM config file? I have not seen anyone address it yet.

I'm forced (ugh) to join several linux machines to a domain. I'm currently using debian stable, and am joining the machines using a join script I wrote (at https://rbmj.github.io/join.sh for reference). The setup uses realm and sssd for all of the joining magic, and pam_mkhomedir to create home directories. Machines are debian stable. getent passwd $USER shows proper uid/gid and home directory set to /home/$DOMAIN/$USER as it should be. The problem is that on logon pam_mkhomedir.so is creating the home directory in the proper place (/home/$DOMAIN/$USER), but login tries to chdir() into /home/$USER. The workaround I'm currently using is symlinking /home/$DOMAIN to /home, which *is* an ugly symlink loop, but it gets the job done for now. Once I can figure this out migration should be fairly straightforward, as there's only one or two system accounts so I can move the rest via script. Since this is a recently installed debian stable machine, I think it's a systemd issue, as I believe the standard login daemon is replaced by systemd-logind or similar cruft. I think this is a bug somewhere, as login should try to change directory to whatever nsswitch indicates is the user's proper home directory, but I'm no expert.

**Background** Recently, I learned that there is a name Service Switch configuration file - nsswitch.conf in some Unix-like operating systems. We can change the domain name resolution order using nsswitch.conf. The most common order should be prioritizing Local Files over DNS. In the nsswitch.conf, it should be defined as

hosts:          files DNS

I want to know if any other use cases are NOT configured as the above? For example,

hosts:          DNS

--- **Question** What are the real use cases, and why are we **NOT** prioritising Local Files Over DNS in nsswitch.conf? **One use case is enough.**

I inherited a Linux server; the previous administrator is no longer with our company. I can log in to the server via SSH with my company-wide Microsoft Directory administration user, and it works perfectly. I have sudo privileges. But I can't figure out why. This is my nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the glibc-doc-reference' and info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

I would have expected to see myself with my user in the getent passwd command, but that's not the case:

myadminaccount@SERVER-NAME:~$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
administrator:x:1000:1000:administrator,,,:/home/administrator:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin
mik:x:998:1001:OMD site mik:/omd/sites/mik:/bin/bash
Debian-exim:x:107:114::/var/spool/exim4:/usr/sbin/nologin
myadminaccount@SERVER-NAME:~$

The user seems to be known but the group not:

myadminaccount@SERVER-NAME:~$ ls -l | head -n4
insgesamt 384
-rw-r--r-- 1 myadminaccount 5001 11854  6. Feb 2023  update_2022-02-06.log
-rw-r--r-- 1 myadminaccount 5001 46374  7. Nov 2022  update_2022-11-07.log
-rw-r--r-- 1 myadminaccount 5001  8192  6. Mär 2023  update_2023-03-06.log
myadminaccount@SERVER-NAME:~$ ls -ln | head -n4
insgesamt 384
-rw-r--r-- 1 2173 5001 11854  6. Feb 2023  update_2022-02-06.log
-rw-r--r-- 1 2173 5001 46374  7. Nov 2022  update_2022-11-07.log
-rw-r--r-- 1 2173 5001  8192  6. Mär 2023  update_2023-03-06.log

At a minimum, the hostname of the Active Directory server, a password or key for the connection, and the information that my user has sudo privileges should be configured somewhere on the server. But where? And why isn't my username listed in getent passwd? Where should I read and look to find out more? The server is SMP Debian 5.10.226-1 (2024-10-03) x86_64.

I've got Fedora 38 KDE Spin. To access corporate VPN resources in .local zone I need to make queries to the DNS server after establishing connection. Default nsswitch.conf hosts section looks like this: hosts: files myhostname resolve [!UNAVAIL=return] dns If I modify it this way: hosts: files myhostname resolve dns [!UNAVAIL=return] Everything works as I expect. The problem is I can't make these changes persistent. Text in the file banner says: # Generated by authselect # Do not modify this file manually, use authselect instead. Any user changes will be overwritten. # You can stop authselect from managing your configuration by calling 'authselect opt-out'. # See authselect(8) for more details. Not much info unfortunately. I've found a manual for the authselect tool in RedHat documentation, but it seem to be inapplicable for Fedora. Here is what is sais: Select an authselect profile, for example: # authselect select sssd Edit the /etc/authselect/user-nsswitch.conf file with your desired changes. Apply the changes from the /etc/authselect/user-nsswitch.conf file: # authselect apply-changes I don't have */etc/authselect/user-nsswitch.conf* file in my system. If I make one I don't know what content should it have. I tried cat /etc/authselect/user-nsswitch.conf hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve dns [!UNAVAIL=return] and then run sudo authselect apply-changes as said in the manual, no luck. Can't find anything to solve this issue. I would be very grateful to any help. Thanks!

I'm looking to use SSSD to connect to Wifi WPA2 Enterprise (on Ubuntu 22.04). **Can nmcli (NetworkManager) use /etc/nsswitch.conf** to authenticate to Wifi without user action for on-site mode ? Thanks for your help

In my environment we launch containers with a specific uid/gid that our users use as workspaces. It's a bit finicky and one of the drawbacks is that there won't be a matching user in /etc/passwd, causing all kinds of havoc. I was thinking of just maintaining a shared /etc/passwd, storing it in a secret file and then mounting on top of the container's file. The above approach doesn't seem very robust, so I looked into other nss option such as sssd. We have AD setup so integrating with that would be ideal. After some research I found that sssd is not easy to setup within a container and is meant to be run with root privileges so it may be a dead end. Are there any other more lightweight alternatives for our use case? We don't really need authentication just the ability to do LDAP lookups for uid/gids.

I have an updated Debian 11 (bullseye) setup and want to use avahi to connect to locally connected computers. avahi works, for example: avahi-resolve -n4 prag11mono.local gives prag11mono.local 10.0.0.105 which is correct. However, ping (or ssh) for the same host ping prag11mono.local PING prag11mono.local.rpz.GS.local (127.0.0.2) 56(84) bytes of data. 64 bytes from 127.0.0.2 (127.0.0.2): icmp_seq=1 ttl=64 time=0.035 ms Here I do not understand where the rpz.GS.local addition comes from. It is not added to ssh prag11mono.local, but the request goes to 127.0.0.2 as well. In /etc/nsswitch.conf I have hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 but getent hosts bhutan.local returns nothing. I have no /etc/mdns.allow file. The connection between avahi-daeomon and mdns4 is puzzling. I can restart avahi-daemon with systemctl; But how do I restart mdns? I fear that I am missing some installation. I tried to install the package nss-mdns but got unable to locate package -- it should be available for bullseye. I installed libnss-mdns and checked that the required files are in `/lib/libnss_mdns* What is missing? How to debug?

Is there a way I can permanently set the DNS preference of my Ubuntu laptop for specific network interfaces? I am relying on a wifi network that is not that predictable. I don't have access to the edit-mode of the wifi router management console, and every now and then the wifi connection drops off and then comes back again. This means I have to constantly invoke this command to "refresh" my DNS entries: sudo resolvectl dns 3 1.1.1.1 8.8.8.8. The problem originally generated from web browser DNS_* errors (many different e.g. DNS_PROBE_STARTED, DNS_PROBE_FINISHED_NO_INTERNET, DNS_PROBE_FINISHED_NXDOMAIN, DNS_PROBE_FINISHED_BAD_CONFIG, DNS_PROBE_FINISHED_NO_INTERNET etc) I was seeing, so I figured out this wifi network (router) is using dedicated DNS entries from the ISP (Internet Service Provider). I can see these details (custom IP addresses) on the router config dashboard but I cannot change those settings. Also: I can see that my Ubuntu DNS relies on the default gateway of the wifi network (the router). I found this out with these commands where the IP addresses match:

# check my local Ubuntu DNS details for all interfaces
resolvectl dns
# find out the default gateway (it should be the router IP address)
ip route

I think this means that my laptop is dynamically relying on the gateway (router) for DNS resolution and that the router is configured to use some obscure IP addresses from the ISP (Internet Service Provider). Is this correct? I changed the Global DNS by modifying this file /etc/systemd/resolved.conf by appending this:

DNS=1.1.1.1 8.8.8.8
FallbackDNS=8.8.4.4

Then I did this:

# make sure to restart the DNS daemon
sudo systemctl restart systemd-resolved.service
# check what DNS is being used by each interface
resolvectl status

But of course this is being overridden by my wifi interface on which I don't know how to act, what to configure to make it work with my preferred DNS entries. For the sake of completeness I also did this to make sure the web browser was relying on a fresh DNS cache without throwing DNS_* errors (I am not sure this is correct/needed, is it?):

# check current DNS cache
resolvectl statistics
# flush DNS cache
resolvectl flush-caches

If I check the bottom of the file /etc/resolv.conf then I see this:

nameserver 127.0.0.53
options edns0 trust-ad
search lan

I think this DNS trouble might be related to that entry nameserver 127.0.0.53 but I also know that this file /etc/resolv.conf is generated automatically (and perhaps refreshed automatically) by systemd-resolved.service where 127.0.0.53 means that the laptop relies on this local IP address for DNS which is managed by systemd-resolved so I think I shouldn't be manually changing it. I have this feeling that different programs/commands use different places/layers to figure out the DNS configuration. Like if somehow I change the resolvectl / systemd-resolved.service settings, then maybe the browser may be reading the DNS config from somewhere else like that /etc/resolv.conf file or things like /etc/nsswitch.conf? Is this the case? I would like to: - make this command sudo resolvectl dns 3 1.1.1.1 8.8.8.8 PERMANENT (across reboot and across wifi disconnect/connect cycles) - change all the other config files e.g. /etc/resolv.conf or /etc/nsswitch.conf and similar to rely on my preferred DNS configuration details. How do I do this?

What is the practical difference between setting *LK* in /etc/shadow and setting /usr/sbin/nologon in /etc/passwd? When would we choose one over the other? When would we combine them?

I'm trying to configure sssd instead of nslcd for my Rhel system, and then I came across nsswitch. What's the difference between these three?

I have an administration node running LDAP and a login node which uses LDAP on the other node to authorize users. Users are able to log into the login node successfully. When I run

passwd

, on the admin node I get all the users, both those from

/etc/passwd

and LDAP. However, on the login node the LDAP users are missing. Both machines are running CentOS 7.9.2009 and both have an identical

/etc/nsswitch.conf

. The only non-trivial differences between the two version of

/etc/sss/sssd.conf

is that on the admin node ldap_access_order = filter,expire is set, whereas on the login node the setting is ldap_access_order = expire but that seems to me irrelevant (the filter just contains a single non-root functional user which was only used when the system was set up). Where else should I be looking to work out what the difference is between the two systems?

I have a server I've discovered from a Manjaro client using avahi named unaha-closp. However, when I ping it I get: ping: unaha-closp.local: Name or service not known In /etc/nsswitch.conf my hosts line is: hosts: mymachines mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns What is going on?

I was not able to find a date or a Solaris release number... Also, beside Ultrix's svc.conf system (mentionned in NSS's Wikipedia article ), did other comparable systems exist in other Unices, before NSS?

There is something terribly wrong with my current Debian install. Most programs like firefox, nslookup, dig etc. are ignoring entries in /etc/hosts file, actually I use this file for Ad-blocking. **an example** a line in /etc/hosts file 127.0.0.1 www.winaproduct.com when I do dig +short www.winaproduct.com it returns the respective IP address of the server, not 127.0.0.1. Open www.winaproduct.com on firefox, it shows the respective website, but this is not expected. But there is no problem with ping, busybox nslookup, busybox ping, resolveip etc. So, what is the problem ? And how to fix it ?I think the problem is with the DNS resolving library. A temporary fix-up, setup dnsmasq and change nameserver to 127.0.0.1 in /etc/resolv.conf . **update** problem magically solved after installing libnss3, as a dependency of google-chrome default /etc/nsswitch.conf looks like hosts: files dns how to tell nslookup, dig etc. ask /etc/hosts file first instead asking directly to the DNS ? but why busybox nslookup, wget, resolveip etc. are working differently than nslookup , dig etc. ?

I have created an NSS and a PAM module in order to authenticate and get users and groups from a custom remote server. In order to get them used by the system I am adding a line in /etc/pam.d/sshd: auth sufficient myPAMmodule.so and in /etc/nsswitch.conf: passwd: files sss myNSSmodule shadow: files sss myNSSmodule group: files sss myNSSmodule The question is how to configure these (or anything else) in order to avoid calling my modules in case an ssh is made with a local user. Adding a linux module with sufficient before my module auth sufficient pam_env.so seems necessary. By adding an initgroups line without my module initgroups: files sss makes id command to work only locally for local user ( but gets only primary group for user). But still whenever I perform ssh user@localhost I still see remote calls for local users.

My organization has to get rid of their ldap servers, so I am facing the task of replacing it's functionality. To make this as customizable and future-proof as I can, I am looking for something that can run on any webserver, so in the future could be reimplemented in nginx, apache2 or whatever using anything from from php to js. So far I have found a replacement for pam: The pam_oauth2.so module by quarxConnect queries a custom oauth2 implementation, that can be setup to pull it's data from anywhere. This works quite nicely as a drop-in replacement for pam_sss.so in the pam configuration. It doesn't however replace ldap in nss or autofs. autofs could be solved on the file servers side, but I couldn't find anything for nss. I am really grasping at straws now, to the point where I have considered making the /etc/passwd and /etc/groups files sockets to a program, which queries the required data from a webAPI and constructs a file on-the-fly. I have no experience on how to implement that though, and it seems like a stupid solution frankly. sssd appears to do the same thing, but it can somehow detect which user's info is needed, so only construct that line. If someone could point me to some documentation on how to build a module for nss, that would be great too. I couldn't find what calls such a module would have to answer and how I could call it from nss (nsswitch.conf uses aliases of some sort, not paths or filenames to some dir, from what I can tell). I am fairly deep down this weird road, but am open to entierly different replacement approaches as well. Even something weird like a web-server implementation of an ldap-server which talks ldap to clients but pulls it's data from wherever. I'd prefer a simpler protocoll though.

I want to get list of users - both human and machine who have access to the unix server. OS is:

NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"

I tried

/etc/passwd

and

passwd

- but both these lists are incomplete. A number of users that have a folder in /home are not present in output of either of the above two commands. I ran

for a username that had a folder but not present in the output of these commands and I got a valid output, proving that that user exists. So, how do I get a list of "all" users of the server.
PS: I do have sudo access. Output of

~> grep passwd /etc/nsswitch.conf
passwd:     files sss

EDIT1: I did some digging and turns out this server uses IPA. I ran

user-find

. It listed 2K users, which I believe is the exhaustive list of users that are created via IPA but not necessarily all of them have access to this particular server. More Background:
Most human users login via either SSH or id + password.
This server is not maintined by any IT/Server team; the business users own the server. People without deep knowledge of servers and systems maintain create users on it. I recently got sudo access and need to 'clean up' the server a little bit - delete users who no longer should have access, identify data that can be archived etc., create proper unix groups to segregate access to data.

With my current setup, I have a dnsmasq instance operating on my home server (Void Linux) and 3 GNU/Linux devices that use it as default dns (1 Manjaro, 1 Arch, 1 Linux Mint 20.1). Due to seemingly unrelated issues, I was testing the mdns name resolution with getent, and I noticed, both by looking at dnsmasq logs and running strace getent, that getent would automatically append the .station Top Level Domain if the domain wasn't already specified. getent hosts home-server results in

dnsmasq: query[AAAA] home-server.station from 192.168.0.6
dnsmasq: forwarded home-server.station to 9.9.9.9
dnsmasq: query[AAAA] home-server.station from 192.168.0.6
dnsmasq: forwarded home-server.station to 9.9.9.9
dnsmasq: query[AAAA] home-server.station from 192.168.0.6
dnsmasq: forwarded home-server.station to 9.9.9.9
dnsmasq: forwarded home-server.station to 95.216.24.230
dnsmasq: forwarded home-server.station to 89.233.43.71
dnsmasq: forwarded home-server.station to 78.46.244.143
dnsmasq: forwarded home-server.station to 146.255.56.98
dnsmasq: forwarded home-server.station to 78.46.244.143
dnsmasq: forwarded home-server.station to 146.255.56.98
dnsmasq: forwarded home-server.station to 78.46.244.143
dnsmasq: forwarded home-server.station to 146.255.56.98
dnsmasq: forwarded home-server.station to 45.90.57.121
dnsmasq: forwarded home-server.station to 80.67.169.40
dnsmasq: forwarded home-server.station to 104.244.78.231
dnsmasq: reply home-server.station is NXDOMAIN
dnsmasq: query[AAAA] home-server from 192.168.0.6

On the dnsmasq log and

socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 4
setsockopt(4, SOL_IP, IP_RECVERR, , 4) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.0.100")}, 16) = 0
poll([{fd=4, events=POLLOUT}], 1, 0)    = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\2\17\1\0\0\1\0\0\0\0\0\0\vhome-server\7station"..., 37, MSG_NOSIGNAL, NULL, 0) = 3

Calling getent with strace. I wasn't able to find any information regarding the .station TLD. Does anyone know why does getent have this default behavior, and where does the .station come from? My /etc/nsswitch.conf hosts line on Manjaro

hosts: files mymachines mdns4_minimal [NOTFOUND=return] resolve dns mdns4 myhostname

On Mint

hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname

In nsswitch.conf file I have an entry "passwd files sss". Also I have the evidence that the server is having LDAP authentication. Since the "files" for passwd is enabled and it points the local authentication , which one take the precedence?