This is a follow-up to this question.
I have a CentOS 7 machine which has joined a domain FOOBAR. It is possible to successfully get info about users stored in the AD via
id [email protected]
However, getent passwd and getent group do not show users and group defined in the AD.
These are the relevant lines in /etc/nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
What needs to be added there?
As suggested by @Doug O'Neal in a comment, it was necessary to set
enumerate = true
in /etc/sssd/sssd.conf.
Now getent passwd and getent group show all users and groups defined in the AD.
Note that this option is often not recommended. From man sssd.conf:
(...)
enumerate (bool)
Determines if a domain can be enumerated. This parameter can have one of the
following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
Note: Enabling enumeration has a moderate performance impact on SSSD while enumeration
is running. It may take up to several minutes after SSSD startup to fully complete
enumerations. During this time, individual requests for information will go directly
to LDAP, though it may be slow, due to the heavy enumeration processing. Saving a large
number of entries to cache after the enumeration completes might also be CPU intensive
as the memberships have to be recomputed.
While the first enumeration is running, requests for the complete user or group lists
may return no results until it completes.
Further, enabling enumeration may increase the time necessary to detect network
disconnection, as longer timeouts are required to ensure that enumeration
lookups are completed successfully. For more information, refer to the man pages for
the specific id_provider in use.
For the reasons cited above, enabling enumeration is not recommended, especially in
large environments.
(...)