How-to: Display Domain Users with getent passwd on UCS 5.2

MiracErde · August 25, 2025, 11:25am

How to: Display Domain Users with `getent passwd` on UCS 5.2

Description:

Starting with UCS 5.2, Univention replaced the deprecated libnss-ldap and libpam-ldap components with the System Security Services Daemon (SSSD). This modification changes the default behavior of the Name Service Switch (NSS). As a result, running the command getent passwd will only list local users by default, whereas in UCS 5.0-10 it also displayed all domain users.

This article explains why this change was introduced and how to configure UCS 5.2 so that both local and domain users are displayed when using getent passwd.

Background

Key changes introduced in UCS 5.2:

Removal of libnss-ldap and libpam-ldap.
SSSD now handles user resolution instead of the legacy NSS LDAP modules.
nscd is no longer used for passwd-related lookups (only for host resolution).
The UCR variables nscd/passwd/* are deprecated.
By default, SSSD does not enumerate all users (enumerate = false) to improve system performance and scalability.

Why does this matter?

Previously, setting

ucr set nsswitch/ldap=yes

enabled global LDAP user enumeration. With the SSSD approach, this option only enables SSSD-based lookups but does not automatically enumerate all domain users. This is intentional to:

Avoid heavy LDAP/AD load in large domains.
Prevent timeouts and delays when many accounts exist.
Increase overall responsiveness of authentication services.

Symptoms

Executing getent passwd only lists local system users.
Direct lookups still work as expected:
```
getent passwd <username>
id <username>
```

/etc/nsswitch.conf appears similar to:

passwd:        compat systemd sss
group:         compat systemd extrausers
shadow:        compat systemd

Configuration:

To restore the behavior from UCS 5.0-10 and display both local and domain users, SSSD enumeration must be explicitly enabled.

Warning: Enabling enumeration may affect performance in environments with a large number of domain users (e.g., more than 10,000).

Step 1: Verify your current SSSD domain

Execute:

sssctl domain-list

Example output:

example.local

Step 2: Create an SSSD configuration override

Create a configuration snippet:

nano /etc/sssd/conf.d/10-enumerate.conf

Add the following content:

[domain/example.local]
enumerate = true

Replace example.local with the domain name from the previous step.

Step 3: Apply correct permissions

chmod 600 /etc/sssd/conf.d/10-enumerate.conf

Step 4: Clear the SSSD cache and restart the service

sss_cache -U
systemctl restart sssd

Step 5: Test the configuration

getent passwd

You should now see both local and domain users listed.

Additional Information

SSSD does not provide shadow password information for domain users. For example, pam_unix cannot process password aging for these accounts.
Configuration snippets under /etc/sssd/conf.d/ are update-safe and persist across system updates.
For large-scale environments, it is recommended not to enable enumeration and instead use:
```
getent passwd <username>
id <username>
```
for on-demand user lookups.

Related Information

SSSD official documentation: https://sssd.io/
Univention Docs: Replacement of libnss-ldap with SSSD in UCS 5.2 PAM / Local group cache