Im setting up AD on rockyOS for a user. It all works OK, but there’s a line in /etc/sssd/sssd.conf:
use_fully_qualified_names = True
Id like to set that to False, but when I do it gets overwritten when joining the domain. Anyone know where sssd gets the values it writes to sssd.conf?
When you perform a realm join or any operation that would make changes to sssd.conf, your changes will get overwritten. It’s recommended that you realm join first and then configure sssd.conf after.
The /etc/sssd/sssd.conf is not from package; it must be created. The “realm join” is one such action.
man sssd.conf writes:
CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY
The configuration file sssd.conf will include configuration snippets using the include directory conf.d. This feature is available if SSSD was compiled with libini version 1.3.0 or later.
Any file placed in conf.d that ends in “.conf” and does not begin with a dot (“.”) will be used together with sssd.conf to configure SSSD.
The configuration snippets from conf.d have higher priority than sssd.conf and will override sssd.conf when conflicts occur. If several snippets are present in conf.d, then they are included in alphabetical order (based on locale). Files included later have higher priority. Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help visualize the priority (higher number means higher priority).
The snippet files require the same owner and permissions as sssd.conf. Which are by default root:root and 0600.
I don’t use AD nor create /etc/sssd/sssd.conf – I drop my sssd config into /etc/sssd/conf.d/ with Ansible. You too can override the use_fully_qualified_names with a snippet.
Ive tried putting things in /etc/sssd/conf.d but it didnt seem to work. For example I created a file called /etc/sssd/conf.d/domain.conf and added this (I basically copied what the system created and changed use_fully_qualified_names to False):
[domain/example.net]
ad_domain = example.net
krb5_realm = EXAMPLE.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
But when I sign into the domain this is whats in my /etc/sssd/sssd.conf
[sssd]
domains = example.net
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com
[domain/example.net]
ad_domain = example.net
krb5_realm = EXAMPLE.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
Is there a way I can put something in /etc/sssd/conf.d so I can set use_fully_qualified_names = False? Am I messing up the format it expects it to be in so its ignoring what I have?
Of course. We add the snippet files, because we do not want to modify the sssd.conf file.
The question is, what is the active config of the running sssd process?
(You did restart the sssd.service, didn’t you?)
The sssctl does not seem to have command to dump the config (but sssctl config-check should mention errors in format).
Sorry I didnt reply sooner, I came down with the flu and have been in bed watching TV all week. If your still around…
What I pasted is the active config of my running sssd process. I added the snippet I posted and restarted sssd. It seems to ignore my snippet. So I tried a more concise snippet of just what I needed:
I put this in the conf.d folder and called it 00-domain.conf
[domain/example.net]
id_provider = files
use_fully_qualified_names = False
But it still seems like its ignored. Ive restarted sssd dozens of times in tests, and joined/left the domain a bunch of times as well…but this is still mysssd.conf
[sssd]
domains = example.net
config_file_version = 2
services = nss, pam
[domain/example.net]
ad_domain = example.net
krb5_realm = EXAMPLE.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
I’d try:
sed "s/use_fully_qualified_names = True/use_fully_qualified_names = False/" /etc/sssd/sssd.conf > /etc/sssd/conf.d/00-domain.conf
mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf-orig
systemctl restart sssd
The sssd should start with just the /etc/sssd/conf.d/00-domain.conf
If it seems that it doesn’t read /etc/sssd/conf.d/00-domain.conf, then … oh my.
Wait…the user just told me its not a regular desktop/VM (im an admin at a university), its a synology rackmounted appliance. They had asked me to update it from centos to rockyos which I did, they never mentioned it was an appliance. Maybe the vendor changed the way it joins a domain. I’ll let you know what happened, and thank you so much for your help, but I think I should try the synology forums.
Trying your example, it doesnt write anything…I wasnt sure which folder you thought you sed command should be applied to, so I manually edited it in the 00-domain.conf (it was already set here) and the sssd.conf file
[root@polarbear sssd]# mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf-orig
[root@polarbear sssd]# ls -l
total 4
drwx–x–x. 2 sssd sssd 28 Oct 6 16:55 conf.d
drwx–x–x. 2 root root 6 Jun 28 11:25 pki
-rw-------. 1 root root 403 Oct 6 17:15 sssd.conf-orig
[root@polarbear sssd]# systemctl restart sssd
[root@polarbear sssd]# ls -l
total 4
drwx–x–x. 2 sssd sssd 28 Oct 6 16:55 conf.d
drwx–x–x. 2 root root 6 Jun 28 11:25 pki
-rw-------. 1 root root 403 Oct 6 17:15 sssd.conf-orig
Its only when I leave and rejoin the domain that it gets written…and when it does it the one from above. Im going to try putting something in /etc/realmd.conf and if that doesnt work I think ill try the synology forums because I dont think this is how a normal redhat/rockyos box behaves.
Thanks again for all your help though!
“It” is not supposed to write anything.
The sssd service merely reads config from /etc/sssd/conf.d/*.conf and /etc/sssd/sssd.conf when it starts (if any exists) and runs happily (unless config is insufficient).
With the /etc/sssd/conf.d/00-domain.conf in place and no /etc/sssd/sssd.conf and doing a “systemctl restart sssd” shouldnt that have at least written out a /etc/sssd/sssd.conf with the contents of 00-domain.conf? I thought thats what you meant in your previous message
No. My bad. Sssd only reads the files. It does not write.