SSSD Manual pages


Table of Contents

sss_override — create local overrides of user and group attributes

Name

sss_override — create local overrides of user and group attributes

Synopsis

sss_override COMMAND [ options ]

DESCRIPTION

sss_override enables to create a client-side view and allows to change selected values of specific user and groups. This change takes effect only on local machine.

Overrides data are stored in the SSSD cache. If the cache is deleted, all local overrides are lost. Please note that after the first override is created using any of the following user-add, group-add, user-import or group-import command. SSSD needs to be restarted to take effect. sss_override prints message when a restart is required.

AVAILABLE COMMANDS

Argument NAME is the name of original object in all commands. It is not possible to override uid or gid to 0.

user-add NAME [-n,--name NAME] [-u,--uid UID] [-g,--gid GID] [-h,--home HOME] [-s,--shell SHELL] [-c,--gecos GECOS]

Override attributes of an user. Please be aware that calling this command will replace any previous override for the (NAMEd) user.

user-del NAME

Remove user overrides. However be aware that overridden attributes might be returned from memory cache. Please see SSSD option memcache_timeout for more details.

user-find [-d,--domain DOMAIN]

List all users with set overrides. If DOMAIN parameter is set, only users from the domain are listed.

user-show NAME

Show user overrides.

user-import FILE

Import user overrides from FILE. Data format is similar to standard passwd file. The format is:

original_name:name:uid:gid:gecos:home:shell

where original_name is original name of the user whose attributes should be overridden. The rest of fields correspond to new values. You can omit a value simply by leaving corresponding field empty.

Examples:

ckent:superman::::::

ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash

user-export FILE

Export all overridden attributes and store them in FILE. See user-import for data format.

group-add NAME [-n,--name NAME] [-g,--gid GID]

Override attributes of a group. Please be aware that calling this command will replace any previous override for the (NAMEd) group.

group-del NAME

Remove group overrides. However be aware that overridden attributes might be returned from memory cache. Please see SSSD option memcache_timeout for more details.

group-find [-d,--domain DOMAIN]

List all groups with set overrides. If DOMAIN parameter is set, only groups from the domain are listed.

group-show NAME

Show group overrides.

group-import FILE

Import group overrides from FILE. Data format is similar to standard group file. The format is:

original_name:name:gid

where original_name is original name of the group whose attributes should be overridden. The rest of fields correspond to new values. You can omit a value simply by leaving corresponding field empty.

Examples:

admins:administrators:

Domain Users:Users:501

group-export FILE

Export all overridden attributes and store them in FILE. See group-import for data format.

COMMON OPTIONS

Those options are available with all commands.

--debug LEVEL

SSSD supports two representations for specifying the debug level. The simplest is to specify a decimal value from 0-9, which represents enabling that level and all lower-level debug messages. The more comprehensive option is to specify a hexadecimal bitmask to enable or disable specific levels (such as if you wish to suppress a level).

Please note that each SSSD service logs into its own log file. Also please note that enabling debug_level in the [sssd] section only enables debugging just for the sssd process itself, not for the responder or provider processes. The debug_level parameter should be added to all sections that you wish to produce debug logs from.

In addition to changing the log level in the config file using the debug_level parameter, which is persistent, but requires SSSD restart, it is also possible to change the debug level on the fly using the sss_debuglevel(8) tool.

Currently supported debug levels:

0, 0x0010: Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running.

1, 0x0020: Critical failures. An error that doesn't kill the SSSD, but one that indicates that at least one major feature is not going to work properly.

2, 0x0040: Serious failures. An error announcing that a particular request or operation has failed.

3, 0x0080: Minor failures. These are the errors that would percolate down to cause the operation failure of 2.

4, 0x0100: Configuration settings.

5, 0x0200: Function data.

6, 0x0400: Trace messages for operation functions.

7, 0x1000: Trace messages for internal control functions.

8, 0x2000: Contents of function-internal variables that may be interesting.

9, 0x4000: Extremely low-level tracing information.

To log required bitmask debug levels, simply add their numbers together as shown in following examples:

Example: To log fatal failures, critical failures, serious failures and function data use 0x0270.

Example: To log fatal failures, configuration settings, function data, trace messages for internal control functions use 0x1310.

Note: The bitmask format of debug levels was introduced in 1.7.0.

Default: 0

SEE ALSO

sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8), sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)