No SSSD support in snaps (nsswitch.conf)

Given: A host that does user auth with SSSD (“LDAP”).
With base: core18 (or maybe in general?) /etc/nsswitch.conf is bound to something different than the host’s nsswitch.conf


# snap
passwd:         compat extrausers


# host
passwd:         compat  systemd sss

Thus, within the snap context, getent passwd $USER will not succeed for non-local users.

Is that a supported use-case and should this work? Because if not, snapcraft-desktop-helpers and its “successor” the gnome extension ( can never successfully link remote users’ home directories into the snap. Quite problematic indeed for desktop applications.

Any suggestions or ideas on how to tackle this problem?

I’m not sure I understand the problem. In what cases does snapcraft-desktop-helpers etc “link remote users’ home directories into the snap”?

Bad choice of words. desktop-launch softlinks xdg dirs for convenient access. I’m referring to which gets its $REALHOME from here

REALHOME cannot be deduced for users from sssd and is thus empty. You’ll find xdg dirs in your file chooser dialogs that do not correspond to those in the user’s home directory.

This old topic describes the root problem very well and presents a nice and easy test for user resolution failing for devices using SSSD.

An “okay” workaround in regards to the wrapper script is to deduce the “obvious” home dir from $SNAP_USER_DATA if getent does not return anything useful.

have you looked at


@chipaca Absolutely phenomenal. That is indeed a good solution and works beautifully. Thank you very much. I had overlooked this topic as my search was not generic enough after a long day :exploding_head:

For reference: Installing and running nscd or unscd on the host enables SSSD (and more) user resolution within the snap.

I’m wondering whether that could be a good addition somewhere in the docs…

1 Like

paging @degville to answer that one, as I don’t hold the docs in my head as well as he does.

Good question - I think in the near future, this solution will be better referenced from the new Snapcraft build, debug and publishing docs roadmap, which we are working on and will complete soon. There’s troubleshooting for each phase and this will be a common question.

But it’s probably also worth mentioning in some of our environment variable documentation, where you might expect references to a user’s $HOME, for example.

I’ll make a note to do both of the above.


It is probably of equal or greater interest to users rather than developers: a snap might work without issue on the developer’s machine, but fails for a user on a machine configured to use LDAP.

It’s not really something the snap author can handle from their side of the sandbox.


Yes, that is strictly a user thing. In a perfect world, the user would be informed upon installation or running of a snap that the current user cannot be resolved and a solution would be proposed.

I was affected on this on my work computer using sssd to talk to the corporate AD domain. I have found several snaps that completely breaks for me because of this. The internet is quite clear that you should absolutely not use sssd and nscd in parallel to cache passwd entries. I installed nscd anyway with passwd cache enabled (enable-cache passwd yes) the snaps work but I get this in the sssd logs:

aug 18 09:20:50 myhostname sssd[20780]: NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services]. It is recommended not to run NSCD in parallel with SSSD, unless NSCD is configured not to cache these.

I will try to investigate a little closer why nscd is not recommended and see if It’s an acceptable workaround for me. But overall, I like to get some feedback if there is a better way today considering the age of this issue and the fast moving pace of development in the snap ecosystem.

1 Like

The main reason is that both sssd and nscd cache user information, so stacking could out dated results being cached longer than expected. Imagine you request info that is cached in sssd just before it is set to expire. That might now be placed in nscd’s cache and be considered fresh past when sssd believes it is outdated.

You could minimise this by cranking down nscd’s TTL values to reduce the window.

1 Like