From be3cea05e06cbfcfbd684b46c49fcdc8f8f5b880 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Tue, 18 Sep 2018 14:28:18 +0200

Subject: [PATCH 14/16] profiles: add options to exclude lines from

 nsswitch.conf

There is a common use case that users want to change lines in nsswitch.conf

but do not want to create a whole custom profile. This applies especially

to nis profile as it sets all nsswitch databases and thus renders recently

added user-nsswitch.conf useless.

For distributing company wide configuration, custom profiles should be used though.

Resolves:

https://github.com/pbrezina/authselect/issues/95

---

 profiles/nis/README            | 50 ++++++++++++++++++++++++++++++++++

 profiles/nis/nsswitch.conf     | 28 +++++++++----------

 profiles/sssd/README           | 26 ++++++++++++++++++

 profiles/sssd/nsswitch.conf    | 12 ++++----

 profiles/winbind/README        | 14 ++++++++++

 profiles/winbind/nsswitch.conf |  4 +--

 6 files changed, 112 insertions(+), 22 deletions(-)

diff --git a/profiles/nis/README b/profiles/nis/README

index 34789b1e7643f0df082d40e0e87cb3d0823bba56..3911959c59287d2d5425ef304f744ff4cd5b408d 100644

--- a/profiles/nis/README

+++ b/profiles/nis/README

@@ -41,6 +41,56 @@ with-nispwquality::

 without-nullok::

     Do not add nullok parameter to pam_unix.

+DISABLE SPECIFIC NSSWITCH DATABASES

+-----------------------------------

+

+Normally, nsswitch databases set by the profile overwrites values set in

+user-nsswitch.conf. The following options can force authselect to

+ignore value set by the profile and use the one set in user-nsswitch.conf

+instead.

+

+with-custom-aliases::

+Ignore "aliases" map set by the profile.

+

+with-custom-automount::

+Ignore "automount" map set by the profile.

+

+with-custom-ethers::

+Ignore "ethers" map set by the profile.

+

+with-custom-group::

+Ignore "group" map set by the profile.

+

+with-custom-hosts::

+Ignore "hosts" map set by the profile.

+

+with-custom-initgroups::

+Ignore "initgroups" map set by the profile.

+

+with-custom-netgroup::

+Ignore "netgroup" map set by the profile.

+

+with-custom-networks::

+Ignore "networks" map set by the profile.

+

+with-custom-passwd::

+Ignore "passwd" map set by the profile.

+

+with-custom-protocols::

+Ignore "protocols" map set by the profile.

+

+with-custom-publickey::

+Ignore "publickey" map set by the profile.

+

+with-custom-rpc::

+Ignore "rpc" map set by the profile.

+

+with-custom-services::

+Ignore "services" map set by the profile.

+

+with-custom-shadow::

+Ignore "shadow" map set by the profile.

+

 EXAMPLES

 --------

 * Enable NIS with no additional modules

diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf

index 4397deb1ef347d5cb8798926f553c373f8c15649..f5451657f3d8b988b633304d549a3242257715d3 100644

--- a/profiles/nis/nsswitch.conf

+++ b/profiles/nis/nsswitch.conf

@@ -1,14 +1,14 @@

-aliases:    files nis

-automount:  files nis

-ethers:     files nis

-group:      files nis systemd

-hosts:      files nis dns myhostname

-initgroups: files nis

-netgroup:   files nis

-networks:   files nis

-passwd:     files nis systemd

-protocols:  files nis

-publickey:  files nis

-rpc:        files nis

-services:   files nis

-shadow:     files nis

+aliases:    files nis                   {exclude if "with-custom-aliases"}

+automount:  files nis                   {exclude if "with-custom-automount"}

+ethers:     files nis                   {exclude if "with-custom-ethers"}

+group:      files nis systemd           {exclude if "with-custom-group"}

+hosts:      files nis dns myhostname    {exclude if "with-custom-hosts"}

+initgroups: files nis                   {exclude if "with-custom-initgroups"}

+netgroup:   files nis                   {exclude if "with-custom-netgroup"}

+networks:   files nis                   {exclude if "with-custom-networks"}

+passwd:     files nis systemd           {exclude if "with-custom-passwd"}

+protocols:  files nis                   {exclude if "with-custom-protocols"}

+publickey:  files nis                   {exclude if "with-custom-publickey"}

+rpc:        files nis                   {exclude if "with-custom-rpc"}

+services:   files nis                   {exclude if "with-custom-services"}

+shadow:     files nis                   {exclude if "with-custom-shadow"}

\ No newline at end of file

diff --git a/profiles/sssd/README b/profiles/sssd/README

index a2fbf66323f4893391474de49f323c06123a2ebf..42293ab39c628c285921b8b47c4a763fd0215472 100644

--- a/profiles/sssd/README

+++ b/profiles/sssd/README

@@ -59,6 +59,32 @@ with-pamaccess::

 without-nullok::

     Do not add nullok parameter to pam_unix.

+DISABLE SPECIFIC NSSWITCH DATABASES

+-----------------------------------

+

+Normally, nsswitch databases set by the profile overwrites values set in

+user-nsswitch.conf. The following options can force authselect to

+ignore value set by the profile and use the one set in user-nsswitch.conf

+instead.

+

+with-custom-passwd::

+Ignore "passwd" database set by the profile.

+

+with-custom-group::

+Ignore "group" database set by the profile.

+

+with-custom-netgroup::

+Ignore "netgroup" database set by the profile.

+

+with-custom-automount::

+Ignore "automount" database set by the profile.

+

+with-custom-services::

+Ignore "services" database set by the profile.

+

+with-custom-sudoers::

+Ignore "sudoers" database set by the profile.

+

 EXAMPLES

 --------

diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf

index 5d05102ee8836f5bbce5f0527b87b1559fbe664e..9734bbbe68e7cf73a4a560e3573162d353e551e8 100644

--- a/profiles/sssd/nsswitch.conf

+++ b/profiles/sssd/nsswitch.conf

@@ -1,6 +1,6 @@

-passwd:     sss files systemd

-group:      sss files systemd

-netgroup:   sss files

-automount:  sss files

-services:   sss files

-sudoers:    files sss {include if "with-sudo"}

+passwd:     sss files systemd   {exclude if "with-custom-passwd"}

+group:      sss files systemd   {exclude if "with-custom-group"}

+netgroup:   sss files           {exclude if "with-custom-netgroup"}

+automount:  sss files           {exclude if "with-custom-automount"}

+services:   sss files           {exclude if "with-custom-services"}

+sudoers:    files sss           {include if "with-sudo"}

diff --git a/profiles/winbind/README b/profiles/winbind/README

index a824c7e78954bafffa6500e45a6e826835fd2b58..cd1606800d77eeb93be918f17fe47c2586b2519d 100644

--- a/profiles/winbind/README

+++ b/profiles/winbind/README

@@ -51,6 +51,20 @@ with-pamaccess::

 without-nullok::

     Do not add nullok parameter to pam_unix.

+DISABLE SPECIFIC NSSWITCH DATABASES

+-----------------------------------

+

+Normally, nsswitch databases set by the profile overwrites values set in

+user-nsswitch.conf. The following options can force authselect to

+ignore value set by the profile and use the one set in user-nsswitch.conf

+instead.

+

+with-custom-passwd::

+Ignore "passwd" database set by the profile.

+

+with-custom-group::

+Ignore "group" database set by the profile.

+

 EXAMPLES

 --------

 * Enable winbind with no additional modules

diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf

index 3018a7526ece30236969ce69dce729998c9a57de..8a23bd71935eb26c5093e4b2080b1d91b6de5582 100644

--- a/profiles/winbind/nsswitch.conf

+++ b/profiles/winbind/nsswitch.conf

@@ -1,2 +1,2 @@

-passwd:     files winbind systemd

-group:      files winbind systemd

+passwd:     files winbind systemd    {exclude if "with-custom-passwd"}

+group:      files winbind systemd    {exclude if "with-custom-group"}

-- 

2.17.1