From 7236f7a303215805de7195a8fdef7567543e8b0b Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Wed, 9 Jun 2021 13:59:01 +0200

Subject: [PATCH] rhel9: remove nis support

NIS is no longer supported in RHEL9.

---

 profiles/Makefile.am                |  13 ----

 profiles/nis/README                 | 111 ----------------------------

 profiles/nis/REQUIREMENTS           |  13 ----

 profiles/nis/dconf-db               |   3 -

 profiles/nis/dconf-locks            |   2 -

 profiles/nis/nsswitch.conf          |  14 ----

 profiles/nis/postlogin              |   4 -

 rpm/authselect.spec.in              |  10 ---

 src/compat/authcompat.py.in.in      |  95 ------------------------

 src/compat/authcompat_Options.py    |   8 +-

 src/man/authselect-migration.7.adoc |   2 +-

 11 files changed, 6 insertions(+), 269 deletions(-)

 delete mode 100644 profiles/nis/README

 delete mode 100644 profiles/nis/REQUIREMENTS

 delete mode 100644 profiles/nis/dconf-db

 delete mode 100644 profiles/nis/dconf-locks

 delete mode 100644 profiles/nis/nsswitch.conf

 delete mode 100644 profiles/nis/postlogin

diff --git a/profiles/Makefile.am b/profiles/Makefile.am

index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c11043a406 100644

--- a/profiles/Makefile.am

+++ b/profiles/Makefile.am

@@ -13,19 +13,6 @@ dist_profile_minimal_DATA = \

     $(top_srcdir)/profiles/minimal/dconf-locks \

     $(NULL)

-profile_nisdir = $(authselect_profile_dir)/nis

-dist_profile_nis_DATA = \

-    $(top_srcdir)/profiles/nis/nsswitch.conf \

-    $(top_srcdir)/profiles/nis/password-auth \

-    $(top_srcdir)/profiles/nis/postlogin \

-    $(top_srcdir)/profiles/nis/README \

-    $(top_srcdir)/profiles/nis/REQUIREMENTS \

-    $(top_srcdir)/profiles/nis/system-auth \

-    $(top_srcdir)/profiles/nis/fingerprint-auth \

-    $(top_srcdir)/profiles/nis/dconf-db \

-    $(top_srcdir)/profiles/nis/dconf-locks \

-    $(NULL)

-

 profile_sssddir = $(authselect_profile_dir)/sssd

 dist_profile_sssd_DATA = \

     $(top_srcdir)/profiles/sssd/nsswitch.conf \

diff --git a/profiles/nis/README b/profiles/nis/README

deleted file mode 100644

index cac3428bf844b0a9d251015988583f4c1b15c3c9..0000000000000000000000000000000000000000

--- a/profiles/nis/README

+++ /dev/null

@@ -1,111 +0,0 @@

-Enable NIS for system authentication

-====================================

-

-Selecting this profile will enable Network Information Services as the source

-of identity and authentication providers.

-

-NIS CONFIGURATION

------------------

-

-Authselect does not touch NIS configuration. Please, read NIS' documentation

-to see how to configure it manually.

-

-AVAILABLE OPTIONAL FEATURES

----------------------------

-

-with-faillock::

-    Enable account locking in case of too many consecutive

-    authentication failures.

-

-with-mkhomedir::

-    Enable automatic creation of home directories for users on their

-    first login.

-

-with-fingerprint::

-    Enable authentication with fingerprint reader through *pam_fprintd*.

-

-with-pam-u2f::

-    Enable authentication via u2f dongle through *pam_u2f*.

-

-with-pam-u2f-2fa::

-    Enable 2nd factor authentication via u2f dongle through *pam_u2f*.

-

-without-pam-u2f-nouserok::

-    Module argument nouserok is omitted if also with-pam-u2f-2fa is used.

-    *WARNING*: Omitting nouserok argument means that users without pam-u2f

-    authentication configured will not be able to log in *INCLUDING* root.

-    Make sure you are able to log in before losing root privileges.

-

-with-silent-lastlog::

-    Do not produce pam_lastlog message during login.

-

-with-pamaccess::

-    Check access.conf during account authorization.

-

-with-nispwquality::

-    If this option is set pam_pwquality module will check password quality

-    for NIS users as well as local users during password change. Without this

-    option only local users passwords are checked.

-

-without-nullok::

-    Do not add nullok parameter to pam_unix.

-

-DISABLE SPECIFIC NSSWITCH DATABASES

------------------------------------

-

-Normally, nsswitch databases set by the profile overwrites values set in

-user-nsswitch.conf. The following options can force authselect to

-ignore value set by the profile and use the one set in user-nsswitch.conf

-instead.

-

-with-custom-aliases::

-Ignore "aliases" map set by the profile.

-

-with-custom-automount::

-Ignore "automount" map set by the profile.

-

-with-custom-ethers::

-Ignore "ethers" map set by the profile.

-

-with-custom-group::

-Ignore "group" map set by the profile.

-

-with-custom-hosts::

-Ignore "hosts" map set by the profile.

-

-with-custom-initgroups::

-Ignore "initgroups" map set by the profile.

-

-with-custom-netgroup::

-Ignore "netgroup" map set by the profile.

-

-with-custom-networks::

-Ignore "networks" map set by the profile.

-

-with-custom-passwd::

-Ignore "passwd" map set by the profile.

-

-with-custom-protocols::

-Ignore "protocols" map set by the profile.

-

-with-custom-publickey::

-Ignore "publickey" map set by the profile.

-

-with-custom-rpc::

-Ignore "rpc" map set by the profile.

-

-with-custom-services::

-Ignore "services" map set by the profile.

-

-with-custom-shadow::

-Ignore "shadow" map set by the profile.

-

-EXAMPLES

---------

-* Enable NIS with no additional modules

-

-  authselect select nis

-

-* Enable NIS and create home directories for users on their first login

-

-  authselect select nis with-mkhomedir

diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS

deleted file mode 100644

index c58aa2789f4ef064b7904cacf4fc3158dce7ad41..0000000000000000000000000000000000000000

--- a/profiles/nis/REQUIREMENTS

+++ /dev/null

@@ -1,13 +0,0 @@

-Make sure that NIS service is configured and enabled. See NIS documentation for more information.

-                                                                                          {include if "with-fingerprint"}

-- with-fingerprint is selected, make sure fprintd service is configured and enabled       {include if "with-fingerprint"}

-                                                                                          {include if "with-pam-u2f"}

-- with-pam-u2f is selected, make sure that the pam u2f module is installed                {include if "with-pam-u2f"}

-  - users can then configure keys using the pamu2fcfg tool                                {include if "with-pam-u2f"}

-                                                                                          {include if "with-pam-u2f-2fa"}

-- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed            {include if "with-pam-u2f-2fa"}

-  - users can then configure keys using the pamu2fcfg tool                                {include if "with-pam-u2f-2fa"}

-                                                                                          {include if "with-mkhomedir"}

-- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module                       {include if "with-mkhomedir"}

-  is present and oddjobd service is enabled and active                                    {include if "with-mkhomedir"}

-  - systemctl enable --now oddjobd.service                                                {include if "with-mkhomedir"}

diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db

deleted file mode 100644

index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000

--- a/profiles/nis/dconf-db

+++ /dev/null

@@ -1,3 +0,0 @@

-[org/gnome/login-screen]

-enable-smartcard-authentication=false

-enable-fingerprint-authentication={if "with-fingerprint":true|false}

diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks

deleted file mode 100644

index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000

--- a/profiles/nis/dconf-locks

+++ /dev/null

@@ -1,2 +0,0 @@

-/org/gnome/login-screen/enable-smartcard-authentication

-/org/gnome/login-screen/enable-fingerprint-authentication

diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf

deleted file mode 100644

index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000

--- a/profiles/nis/nsswitch.conf

+++ /dev/null

@@ -1,14 +0,0 @@

-aliases:    files nis                   {exclude if "with-custom-aliases"}

-automount:  files nis                   {exclude if "with-custom-automount"}

-ethers:     files nis                   {exclude if "with-custom-ethers"}

-group:      files nis systemd           {exclude if "with-custom-group"}

-hosts:      files nis dns myhostname    {exclude if "with-custom-hosts"}

-initgroups: files nis                   {exclude if "with-custom-initgroups"}

-netgroup:   files nis                   {exclude if "with-custom-netgroup"}

-networks:   files nis                   {exclude if "with-custom-networks"}

-passwd:     files nis systemd           {exclude if "with-custom-passwd"}

-protocols:  files nis                   {exclude if "with-custom-protocols"}

-publickey:  files nis                   {exclude if "with-custom-publickey"}

-rpc:        files nis                   {exclude if "with-custom-rpc"}

-services:   files nis                   {exclude if "with-custom-services"}

-shadow:     files nis                   {exclude if "with-custom-shadow"}

diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin

deleted file mode 100644

index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000

--- a/profiles/nis/postlogin

+++ /dev/null

@@ -1,4 +0,0 @@

-session     optional                   pam_umask.so silent

-session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet

-session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}

-session     optional                   pam_lastlog.so silent noupdate showfailed

diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in

index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a71207f66 100644

--- a/rpm/authselect.spec.in

+++ b/rpm/authselect.spec.in

@@ -155,7 +155,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;

 %dir %{_datadir}/authselect/vendor

 %dir %{_datadir}/authselect/default

 %dir %{_datadir}/authselect/default/minimal/

-%dir %{_datadir}/authselect/default/nis/

 %dir %{_datadir}/authselect/default/sssd/

 %dir %{_datadir}/authselect/default/winbind/

 %{_datadir}/authselect/default/minimal/nsswitch.conf

@@ -164,15 +163,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;

 %{_datadir}/authselect/default/minimal/README

 %{_datadir}/authselect/default/minimal/REQUIREMENTS

 %{_datadir}/authselect/default/minimal/system-auth

-%{_datadir}/authselect/default/nis/dconf-db

-%{_datadir}/authselect/default/nis/dconf-locks

-%{_datadir}/authselect/default/nis/fingerprint-auth

-%{_datadir}/authselect/default/nis/nsswitch.conf

-%{_datadir}/authselect/default/nis/password-auth

-%{_datadir}/authselect/default/nis/postlogin

-%{_datadir}/authselect/default/nis/README

-%{_datadir}/authselect/default/nis/REQUIREMENTS

-%{_datadir}/authselect/default/nis/system-auth

 %{_datadir}/authselect/default/sssd/dconf-db

 %{_datadir}/authselect/default/sssd/dconf-locks

 %{_datadir}/authselect/default/sssd/fingerprint-auth

diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in

index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90da8e217e 100755

--- a/src/compat/authcompat.py.in.in

+++ b/src/compat/authcompat.py.in.in

@@ -240,20 +240,6 @@ class Configuration:

             config.write(keys)

-    class Network(Base):

-        def __init__(self, options):

-            super(Configuration.Network, self).__init__(options)

-

-        def write(self):

-            nisdomain = self.get("nisdomain")

-            config = EnvironmentFile(Path.System('network'))

-

-            if nisdomain is None:

-                return

-

-            config.set("NISDOMAIN", nisdomain)

-            config.write()

-

     class SSSD(Base):

         def __init__(self, options):

             super(Configuration.SSSD, self).__init__(options, ServiceName="sssd")

@@ -375,83 +361,6 @@ class Configuration:

             # other applications may depend on it.

             return

-    class NIS(Base):

-        def __init__(self, options):

-            super(Configuration.NIS, self).__init__(options)

-            self.rpcbind = Service("rpcbind")

-            self.ypbind = Service("ypbind")

-

-        def isEnabled(self):

-            if not self.isset("nis"):

-                return None

-

-            return self.getBool("nis")

-

-        def enableService(self, nostart):

-            if not self.isset("nisdomain"):

-                return

-

-            nisdom = self.get("nisdomain")

-

-            if not nostart:

-                cmd = Command(Path.System('cmd-domainname'), [nisdom])

-                cmd.run()

-

-            cmd = Command(Path.System('cmd-setsebool'),

-                          ['-P', 'allow_ypbind', '1'])

-            cmd.run()

-

-            self.rpcbind.enable()

-            self.ypbind.enable()

-

-            if not nostart:

-                self.rpcbind.start(Restart=False)

-                self.ypbind.start()

-

-        def disableService(self, nostop):

-            if not nostop:

-                cmd = Command(Path.System('cmd-domainname'), ["(none)"])

-                cmd.run()

-

-            cmd = Command(Path.System('cmd-setsebool'),

-                          ['-P', 'allow_ypbind', '0'])

-            cmd.run()

-

-            self.rpcbind.disable()

-            self.ypbind.disable()

-

-            if not nostop:

-                self.rpcbind.stop()

-                self.ypbind.stop()

-

-        def write(self):

-            if not self.isset("nisdomain"):

-                return

-

-            output = "domain " + self.get("nisdomain")

-

-            additional_servers = []

-            if self.isset("nisserver"):

-                servers = self.get("nisserver").split(",")

-                additional_servers = servers[1:]

-                output += " server " + servers[0] + "\n"

-            else:

-                output += " broadcast\n"

-

-            for server in additional_servers:

-                output += "ypserver " + server + "\n"

-

-            filename = Path.System('yp.conf')

-            if self.getBool("test-call"):

-                print("========== BEGIN Content of [%s] ==========" % filename)

-                print(output)

-                print("========== END   Content of [%s] ==========\n" % filename)

-                return

-

-            with open(filename, "w") as f:

-                f.write(output)

-

-

 class AuthCompat:

     def __init__(self):

         self.sysconfig = EnvironmentFile(Path.System('authconfig'))

@@ -533,8 +442,6 @@ class AuthCompat:

         if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or

                 self.options.getBool("sssd") or self.options.getBool("sssdauth")):

             profile = "sssd"

-        elif self.options.getBool("nis"):

-            profile = "nis"

         elif self.options.getBool("winbind"):

             profile = "winbind"

@@ -591,13 +498,11 @@ class AuthCompat:

     def writeConfiguration(self):

         configs = [

             Configuration.LDAP(self.options),

-            Configuration.Network(self.options),

             Configuration.Kerberos(self.options),

             Configuration.SSSD(self.options),

             Configuration.Winbind(self.options),

             Configuration.PWQuality(self.options),

             Configuration.MakeHomedir(self.options),

-            Configuration.NIS(self.options)

         ]

         for config in configs:

diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py

index 433a3340bac29739174e78928701214c08ec6f3c..2712d85a377ee92c7816e3d2284302307084b0c4 100644

--- a/src/compat/authcompat_Options.py

+++ b/src/compat/authcompat_Options.py

@@ -79,9 +79,6 @@ class Options:

         # However, they will just make sure that an authentication against

         # expected service is working. They may not result in the exact same

         # configuration as authconfig would generate.

-        Option.Feature("nis",             _("NIS for user information by default")),

-        Option.Valued ("nisdomain",       _("<domain>"), _("default NIS domain")),

-        Option.Valued ("nisserver",       _("<server>"), _("default NIS server")),

         Option.Feature("ldap",            _("LDAP for user information by default")),

         Option.Feature("ldapauth",        _("LDAP for authentication by default")),

         Option.Valued ("ldapserver",      _("<server>"), _("default LDAP server hostname or URI")),

@@ -164,6 +161,11 @@ class Options:

         Option.UnsupportedFeature("locauthorize"),

         Option.UnsupportedFeature("sysnetauth"),

         Option.UnsupportedValued ("faillockargs", _("<options>")),

+

+        # NIS is no longer supported

+        Option.UnsupportedFeature("nis"),

+        Option.UnsupportedValued ("nisdomain", _("<domain>")),

+        Option.UnsupportedValued ("nisserver", _("<server>")),

     ]

     Map = {

diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc

index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166983e02d5 100644

--- a/src/man/authselect-migration.7.adoc

+++ b/src/man/authselect-migration.7.adoc

@@ -72,7 +72,7 @@ configuration file for required services.

 |--enablesssd --enablesssdauth       |sssd

 |--enablekrb5                        |sssd

 |--enablewinbind --enablewinbindauth |winbind

-|--enablenis                         |nis

+|--enablenis                         |none

 |=========================================================

 .Relation of authconfig options to authselect profile features

-- 

2.20.1