SSSD-FILES(5) File Formats and Conventions SSSD-FILES(5)
NAME
sssd-files - SSSD files provider
DESCRIPTION
This manual page describes the files provider for sssd(8). For a
detailed syntax reference, refer to the “FILE FORMAT” section of the
sssd.conf(5) manual page.
The files provider mirrors the content of the passwd(5) and group(5)
files. The purpose of the files provider is to make the users and groups
traditionally only accessible with NSS interfaces also available through
the SSSD interfaces such as sssd-ifp(5).
Another reason is to provide efficient caching of local users and
groups.
Please note that besides explicit domain definition the files provider
can be configured also implicitly using 'enable_files_domain' option.
See sssd.conf(5) for details.
SSSD never handles resolution of user/group "root". Also resolution of
UID/GID 0 is not handled by SSSD. Such requests are passed to next NSS
module (usually files).
When SSSD is not running or responding, nss_sss returns the UNAVAIL code
which causes the request to be passed to the next module.
CONFIGURATION OPTIONS
In addition to the options listed below, generic SSSD domain options can
be set where applicable. Refer to the section “DOMAIN SECTIONS” of the
sssd.conf(5) manual page for details on the configuration of an SSSD
domain. But the purpose of the files provider is to expose the same data
as the UNIX files, just through the SSSD interfaces. Therefore not all
generic domain options are supported. Likewise, some global options,
such as overriding the shell in the “nss” section for all domains has no
effect on the files domain unless explicitly specified per-domain.
passwd_files (string)
Comma-separated list of one or multiple password filenames to be
read and enumerated by the files provider, inotify monitor watches
will be set on each file to detect changes dynamically.
Default: /etc/passwd
group_files (string)
Comma-separated list of one or multiple group filenames to be read
and enumerated by the files provider, inotify monitor watches will
be set on each file to detect changes dynamically.
Default: /etc/group
fallback_to_nss (boolean)
While updating the internal data SSSD will return an error and let
the client continue with the next NSS module. This helps to avoid
delays when using the default system files /etc/passwd and
/etc/group and the NSS configuration has 'sss' before 'files' for
the 'passwd' and 'group' maps.
If the files provider is configured to monitor other files it makes
sense to set this option to 'False' to avoid inconsistent behavior
because in general there would be no other NSS module which can be
used as a fallback.
Default: True
EXAMPLE
The following example assumes that SSSD is correctly configured and
files is one of the domains in the [sssd] section.
[domain/files]
id_provider = files
To leverage caching of local users and groups by SSSD nss_sss module
must be listed before nss_files module in /etc/nsswitch.conf.
passwd: sss files
group: sss files
SEE ALSO
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
sss_ssh_authorizedkeys(1), sss_ssh_knownhosts(1), sssd-ifp(5),
pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
AUTHORS
The SSSD upstream - https://github.com/SSSD/sssd/
SSSD 01/16/2025 SSSD-FILES(5)
Generated by dwww version 1.16 on Tue Dec 16 05:37:28 CET 2025.