From be3cea05e06cbfcfbd684b46c49fcdc8f8f5b880 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 18 Sep 2018 14:28:18 +0200
Subject: [PATCH 14/16] profiles: add options to exclude lines from
nsswitch.conf
There is a common use case that users want to change lines in nsswitch.conf
but do not want to create a whole custom profile. This applies especially
to nis profile as it sets all nsswitch databases and thus renders recently
added user-nsswitch.conf useless.
For distributing company wide configuration, custom profiles should be used though.
Resolves:
https://github.com/pbrezina/authselect/issues/95
---
profiles/nis/README | 50 ++++++++++++++++++++++++++++++++++
profiles/nis/nsswitch.conf | 28 +++++++++----------
profiles/sssd/README | 26 ++++++++++++++++++
profiles/sssd/nsswitch.conf | 12 ++++----
profiles/winbind/README | 14 ++++++++++
profiles/winbind/nsswitch.conf | 4 +--
6 files changed, 112 insertions(+), 22 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 34789b1e7643f0df082d40e0e87cb3d0823bba56..3911959c59287d2d5425ef304f744ff4cd5b408d 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -41,6 +41,56 @@ with-nispwquality::
without-nullok::
Do not add nullok parameter to pam_unix.
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-aliases::
+Ignore "aliases" map set by the profile.
+
+with-custom-automount::
+Ignore "automount" map set by the profile.
+
+with-custom-ethers::
+Ignore "ethers" map set by the profile.
+
+with-custom-group::
+Ignore "group" map set by the profile.
+
+with-custom-hosts::
+Ignore "hosts" map set by the profile.
+
+with-custom-initgroups::
+Ignore "initgroups" map set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" map set by the profile.
+
+with-custom-networks::
+Ignore "networks" map set by the profile.
+
+with-custom-passwd::
+Ignore "passwd" map set by the profile.
+
+with-custom-protocols::
+Ignore "protocols" map set by the profile.
+
+with-custom-publickey::
+Ignore "publickey" map set by the profile.
+
+with-custom-rpc::
+Ignore "rpc" map set by the profile.
+
+with-custom-services::
+Ignore "services" map set by the profile.
+
+with-custom-shadow::
+Ignore "shadow" map set by the profile.
+
EXAMPLES
--------
* Enable NIS with no additional modules
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 4397deb1ef347d5cb8798926f553c373f8c15649..f5451657f3d8b988b633304d549a3242257715d3 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,14 +1,14 @@
-aliases: files nis
-automount: files nis
-ethers: files nis
-group: files nis systemd
-hosts: files nis dns myhostname
-initgroups: files nis
-netgroup: files nis
-networks: files nis
-passwd: files nis systemd
-protocols: files nis
-publickey: files nis
-rpc: files nis
-services: files nis
-shadow: files nis
+aliases: files nis {exclude if "with-custom-aliases"}
+automount: files nis {exclude if "with-custom-automount"}
+ethers: files nis {exclude if "with-custom-ethers"}
+group: files nis systemd {exclude if "with-custom-group"}
+hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
+initgroups: files nis {exclude if "with-custom-initgroups"}
+netgroup: files nis {exclude if "with-custom-netgroup"}
+networks: files nis {exclude if "with-custom-networks"}
+passwd: files nis systemd {exclude if "with-custom-passwd"}
+protocols: files nis {exclude if "with-custom-protocols"}
+publickey: files nis {exclude if "with-custom-publickey"}
+rpc: files nis {exclude if "with-custom-rpc"}
+services: files nis {exclude if "with-custom-services"}
+shadow: files nis {exclude if "with-custom-shadow"}
\ No newline at end of file
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a2fbf66323f4893391474de49f323c06123a2ebf..42293ab39c628c285921b8b47c4a763fd0215472 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -59,6 +59,32 @@ with-pamaccess::
without-nullok::
Do not add nullok parameter to pam_unix.
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" database set by the profile.
+
+with-custom-automount::
+Ignore "automount" database set by the profile.
+
+with-custom-services::
+Ignore "services" database set by the profile.
+
+with-custom-sudoers::
+Ignore "sudoers" database set by the profile.
+
EXAMPLES
--------
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 5d05102ee8836f5bbce5f0527b87b1559fbe664e..9734bbbe68e7cf73a4a560e3573162d353e551e8 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,6 +1,6 @@
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss {include if "with-sudo"}
+passwd: sss files systemd {exclude if "with-custom-passwd"}
+group: sss files systemd {exclude if "with-custom-group"}
+netgroup: sss files {exclude if "with-custom-netgroup"}
+automount: sss files {exclude if "with-custom-automount"}
+services: sss files {exclude if "with-custom-services"}
+sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/README b/profiles/winbind/README
index a824c7e78954bafffa6500e45a6e826835fd2b58..cd1606800d77eeb93be918f17fe47c2586b2519d 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -51,6 +51,20 @@ with-pamaccess::
without-nullok::
Do not add nullok parameter to pam_unix.
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
EXAMPLES
--------
* Enable winbind with no additional modules
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 3018a7526ece30236969ce69dce729998c9a57de..8a23bd71935eb26c5093e4b2080b1d91b6de5582 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -1,2 +1,2 @@
-passwd: files winbind systemd
-group: files winbind systemd
+passwd: files winbind systemd {exclude if "with-custom-passwd"}
+group: files winbind systemd {exclude if "with-custom-group"}
--
2.17.1