System Security Services Daemon (SSSD) is a daemon that provides identity, authentication, and authorization services to the operating system and applications. It provides modules and/or plugins for multiple subsystems of the operating system, including NSS, PAM, or sudo. It can cache multiple types of information to speed-up subsequent lookup or authentication operations, and it can use various remote backend types, including FreeIPA, Active Directory, or LDAP.

SSSD can be configured by editing /etc/sssd/sssd.conf directly but due to overlap to other subsystems, those subsystems typically need to be configured as well to make use of SSSD, like pam_sss.so for PAM, or /etc/krb5.* for Kerberos operations. For two use cases, setups against FreeIPA and Active Directory, setup tools can be used to configure SSSD and other components of the operating system in automated fashion. For FreeIPA it's ipa-client-install, or realm which can also configure the system for remote Active Directory backend.

Configuring operating system and SSSD against FreeIPA is called IPA-enrollment. While running the setup tools, credentials typically need to be passed to ipa-client-install or realm to authenticate the operation on the remote system, as well as other options that specify to which remote system we are IPA-enrolling the machine, or which components should be configured.

The typical approach could include pre-creating the host record on the FreeIPA server and generating one-time password for it:

ipa$ ipa host-add --random host.example.com
[...]
  Random password: 3dW742a5rYTX

But first, the setup tool together with its dependencies that include SSSD needs to be installed:

host# dnf install -y freeipa-client
[...]
Install  68 Packages
[...]
Complete!

host# ipa-client-install -w 3dW742a5rYTX
[...]
Client configuration complete.

Many other options can be used, see

host# ipa-client-install --help

We can check that things work by for example checking information about user that does not exists in local /etc/passwd but exists on the FreeIPA server:

host# id bob
uid=1712400001(bob) gid=1712400001(bob) groups=1712400001(bob)

other-host$ kinit bob
Password for bob@EXAMPLE.COM: 
other-host$ ssh bob@host.example.com
Could not chdir to home directory /home/bob: No such file or directory
-sh-4.3$ id
uid=1712400001(bob) gid=1712400001(bob) groups=1712400001(bob) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.3$ 

Instead of installing the software on the host with dnf install, we can install and run it in container. We will use docker service and atomic command. The docker daemon manages images and containers, and atomic is a utility which can use LABELs of docker images to run the containers with correct parameters.

As of 2015-10-19, we need to install atomic from Fedora 22 updates-testing repository to get resonably new version:

host# dnf install --enablerepo=updates-testing -y atomic

host# systemctl start docker.service

If we've created host record for our machine on FreeIPA server and got one-time password generated, we can then download and configure the SSSD container while giving it options that will be passed directly to ipa-client-install in the container:

host# atomic install fedora/sssd -w OvPJIPluOHNj

The fedora/sssd container will first copy various configuration and data directories into the container, then runs ipa-client-install with the parameters that were passed to atomic install, and upon successful IPA-enrollment copies the config and data files back to the host machine.

Unlike ipa-client-install which configures the services and leaves SSSD daemon running, atomic install container is removed after it finishes and you need to use

host# atomic run fedora/sssd

When we check whether sssd is running, we will see that its processes run as children of the docker daemon:

host# ps xf
[...]
11652 ?        Ssl    0:29 /usr/bin/docker -d --selinux-enabled
12537 ?        Ss     0:00  \_ /bin/bash /bin/run.sh
12545 ?        S      0:00      \_ tail -f /var/log/sssd/systemctl.log
12550 ?        Ss     0:00      \_ /usr/sbin/sssd -D -f
12551 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --debug-to-files
12552 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
12553 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
12554 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
12555 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
12556 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
12832 ?        S      0:00      \_ sleep 1000

Depending on what packages are installed on your Fedora host, running id for user from FreeIPA might fail in spite of SSSD running:

host# id bob
id: bob: no such user

host# mkdir -p /usr/lib64/sssd/modules
host# for i in /usr/lib64/libnss_sss.so.2 \
	/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so \
	/usr/lib64/libsss_sudo.so \
	/usr/lib64/security/pam_sss.so \
	/usr/lib64/security/pam_oddjob_mkhomedir.so \
	/usr/bin/kinit \
	/usr/bin/klist \
	/usr/sbin/ipa-getkeytab ; do
	if ! [ -e $i ] ; then docker cp sssd:$i $i ; fi
done

Since the configuration and data that the SSSD container uses are stored in the exact locations where standard sssd service stores them, it's possible to move from sssd running on the host directly to container, or from container to host.

Existing sssd setup can be converted to containerized using

host# systemctl stop sssd.service
host# atomic install fedora/sssd --migrate
[... image being downloaded ...]
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e HOST=/host fedora/sssd /bin/install.sh --migrate
IPA client is already configured on this system.
host# atomic run fedora/sssd
docker run [...]

The containerized service is configured with /etc/systemd/system/sssd.service. Thus, the steps to move to service running directly on the host, include:

host# atomic uninstall fedora/sssd
host# rm /etc/systemd/system/sssd.service
host# systemctl daemon-reload
host# systemctl start sssd.service

In the examples above, we assume that the machines can find the FreeIPA server because they are configured with correct DNS settings.

If you are trying the examples in testing setup, you can use

host# echo nameserver IP-address-of-FreeIPA-server > /etc/resolv.conf

host# hostname host.example.com