SSSD Cache Databases & Logs
Location
/var/lib/sss/db/*, /var/lib/sss/mc/*, /etc/sssd/sssd.conf, and /var/log/sssd/*Common Names
Description
System Security Services Daemon cache databases, memory cache files, configuration, and debug logs used for directory-backed identity, authentication, and offline credential caching on Linux endpoints.
Forensic Value
SSSD artifacts are critical on Linux systems joined to Active Directory, FreeIPA, or LDAP because they show how identities were resolved, when offline authentication was used, and which domain or responder handled a request. Debug logs expose failed and successful PAM/NSS transactions, while the cache databases confirm whether directory user and group data was retained locally. In identity compromise investigations, these files help determine whether the host depended on cached credentials and whether domain-backed access could continue after disconnecting from the controller.
Tools Required
Collection Commands
sssctl
sssctl domain-list > /forensics/output/sssd_domains.txt
tar
tar czf /forensics/output/sssd_bundle.tar.gz /etc/sssd/ /var/lib/sss/ /var/log/sssd/ 2>/dev/null
grep
grep -Rni "cache_credentials\|offline" /etc/sssd/sssd.conf /etc/sssd/conf.d/* 2>/dev/null > /forensics/output/sssd_cache_settings.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •These artifacts exist only when SSSD is installed and in use. Cache contents, debug verbosity, and offline-credential behavior depend on configuration and distribution defaults.