Blob Blame History Raw
From be3cea05e06cbfcfbd684b46c49fcdc8f8f5b880 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 18 Sep 2018 14:28:18 +0200
Subject: [PATCH 14/16] profiles: add options to exclude lines from
 nsswitch.conf

There is a common use case that users want to change lines in nsswitch.conf
but do not want to create a whole custom profile. This applies especially
to nis profile as it sets all nsswitch databases and thus renders recently
added user-nsswitch.conf useless.

For distributing company wide configuration, custom profiles should be used though.

Resolves:
https://github.com/pbrezina/authselect/issues/95
---
 profiles/nis/README            | 50 ++++++++++++++++++++++++++++++++++
 profiles/nis/nsswitch.conf     | 28 +++++++++----------
 profiles/sssd/README           | 26 ++++++++++++++++++
 profiles/sssd/nsswitch.conf    | 12 ++++----
 profiles/winbind/README        | 14 ++++++++++
 profiles/winbind/nsswitch.conf |  4 +--
 6 files changed, 112 insertions(+), 22 deletions(-)

diff --git a/profiles/nis/README b/profiles/nis/README
index 34789b1e7643f0df082d40e0e87cb3d0823bba56..3911959c59287d2d5425ef304f744ff4cd5b408d 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -41,6 +41,56 @@ with-nispwquality::
 without-nullok::
     Do not add nullok parameter to pam_unix.
 
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-aliases::
+Ignore "aliases" map set by the profile.
+
+with-custom-automount::
+Ignore "automount" map set by the profile.
+
+with-custom-ethers::
+Ignore "ethers" map set by the profile.
+
+with-custom-group::
+Ignore "group" map set by the profile.
+
+with-custom-hosts::
+Ignore "hosts" map set by the profile.
+
+with-custom-initgroups::
+Ignore "initgroups" map set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" map set by the profile.
+
+with-custom-networks::
+Ignore "networks" map set by the profile.
+
+with-custom-passwd::
+Ignore "passwd" map set by the profile.
+
+with-custom-protocols::
+Ignore "protocols" map set by the profile.
+
+with-custom-publickey::
+Ignore "publickey" map set by the profile.
+
+with-custom-rpc::
+Ignore "rpc" map set by the profile.
+
+with-custom-services::
+Ignore "services" map set by the profile.
+
+with-custom-shadow::
+Ignore "shadow" map set by the profile.
+
 EXAMPLES
 --------
 * Enable NIS with no additional modules
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 4397deb1ef347d5cb8798926f553c373f8c15649..f5451657f3d8b988b633304d549a3242257715d3 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,14 +1,14 @@
-aliases:    files nis
-automount:  files nis
-ethers:     files nis
-group:      files nis systemd
-hosts:      files nis dns myhostname
-initgroups: files nis
-netgroup:   files nis
-networks:   files nis
-passwd:     files nis systemd
-protocols:  files nis
-publickey:  files nis
-rpc:        files nis
-services:   files nis
-shadow:     files nis
+aliases:    files nis                   {exclude if "with-custom-aliases"}
+automount:  files nis                   {exclude if "with-custom-automount"}
+ethers:     files nis                   {exclude if "with-custom-ethers"}
+group:      files nis systemd           {exclude if "with-custom-group"}
+hosts:      files nis dns myhostname    {exclude if "with-custom-hosts"}
+initgroups: files nis                   {exclude if "with-custom-initgroups"}
+netgroup:   files nis                   {exclude if "with-custom-netgroup"}
+networks:   files nis                   {exclude if "with-custom-networks"}
+passwd:     files nis systemd           {exclude if "with-custom-passwd"}
+protocols:  files nis                   {exclude if "with-custom-protocols"}
+publickey:  files nis                   {exclude if "with-custom-publickey"}
+rpc:        files nis                   {exclude if "with-custom-rpc"}
+services:   files nis                   {exclude if "with-custom-services"}
+shadow:     files nis                   {exclude if "with-custom-shadow"}
\ No newline at end of file
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a2fbf66323f4893391474de49f323c06123a2ebf..42293ab39c628c285921b8b47c4a763fd0215472 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -59,6 +59,32 @@ with-pamaccess::
 without-nullok::
     Do not add nullok parameter to pam_unix.
 
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" database set by the profile.
+
+with-custom-automount::
+Ignore "automount" database set by the profile.
+
+with-custom-services::
+Ignore "services" database set by the profile.
+
+with-custom-sudoers::
+Ignore "sudoers" database set by the profile.
+
 EXAMPLES
 --------
 
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 5d05102ee8836f5bbce5f0527b87b1559fbe664e..9734bbbe68e7cf73a4a560e3573162d353e551e8 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,6 +1,6 @@
-passwd:     sss files systemd
-group:      sss files systemd
-netgroup:   sss files
-automount:  sss files
-services:   sss files
-sudoers:    files sss {include if "with-sudo"}
+passwd:     sss files systemd   {exclude if "with-custom-passwd"}
+group:      sss files systemd   {exclude if "with-custom-group"}
+netgroup:   sss files           {exclude if "with-custom-netgroup"}
+automount:  sss files           {exclude if "with-custom-automount"}
+services:   sss files           {exclude if "with-custom-services"}
+sudoers:    files sss           {include if "with-sudo"}
diff --git a/profiles/winbind/README b/profiles/winbind/README
index a824c7e78954bafffa6500e45a6e826835fd2b58..cd1606800d77eeb93be918f17fe47c2586b2519d 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -51,6 +51,20 @@ with-pamaccess::
 without-nullok::
     Do not add nullok parameter to pam_unix.
 
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
 EXAMPLES
 --------
 * Enable winbind with no additional modules
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 3018a7526ece30236969ce69dce729998c9a57de..8a23bd71935eb26c5093e4b2080b1d91b6de5582 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -1,2 +1,2 @@
-passwd:     files winbind systemd
-group:      files winbind systemd
+passwd:     files winbind systemd    {exclude if "with-custom-passwd"}
+group:      files winbind systemd    {exclude if "with-custom-group"}
-- 
2.17.1