From be3cea05e06cbfcfbd684b46c49fcdc8f8f5b880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 18 Sep 2018 14:28:18 +0200 Subject: [PATCH 14/16] profiles: add options to exclude lines from nsswitch.conf There is a common use case that users want to change lines in nsswitch.conf but do not want to create a whole custom profile. This applies especially to nis profile as it sets all nsswitch databases and thus renders recently added user-nsswitch.conf useless. For distributing company wide configuration, custom profiles should be used though. Resolves: https://github.com/pbrezina/authselect/issues/95 --- profiles/nis/README | 50 ++++++++++++++++++++++++++++++++++ profiles/nis/nsswitch.conf | 28 +++++++++---------- profiles/sssd/README | 26 ++++++++++++++++++ profiles/sssd/nsswitch.conf | 12 ++++---- profiles/winbind/README | 14 ++++++++++ profiles/winbind/nsswitch.conf | 4 +-- 6 files changed, 112 insertions(+), 22 deletions(-) diff --git a/profiles/nis/README b/profiles/nis/README index 34789b1e7643f0df082d40e0e87cb3d0823bba56..3911959c59287d2d5425ef304f744ff4cd5b408d 100644 --- a/profiles/nis/README +++ b/profiles/nis/README @@ -41,6 +41,56 @@ with-nispwquality:: without-nullok:: Do not add nullok parameter to pam_unix. +DISABLE SPECIFIC NSSWITCH DATABASES +----------------------------------- + +Normally, nsswitch databases set by the profile overwrites values set in +user-nsswitch.conf. The following options can force authselect to +ignore value set by the profile and use the one set in user-nsswitch.conf +instead. + +with-custom-aliases:: +Ignore "aliases" map set by the profile. + +with-custom-automount:: +Ignore "automount" map set by the profile. + +with-custom-ethers:: +Ignore "ethers" map set by the profile. + +with-custom-group:: +Ignore "group" map set by the profile. + +with-custom-hosts:: +Ignore "hosts" map set by the profile. + +with-custom-initgroups:: +Ignore "initgroups" map set by the profile. + +with-custom-netgroup:: +Ignore "netgroup" map set by the profile. + +with-custom-networks:: +Ignore "networks" map set by the profile. + +with-custom-passwd:: +Ignore "passwd" map set by the profile. + +with-custom-protocols:: +Ignore "protocols" map set by the profile. + +with-custom-publickey:: +Ignore "publickey" map set by the profile. + +with-custom-rpc:: +Ignore "rpc" map set by the profile. + +with-custom-services:: +Ignore "services" map set by the profile. + +with-custom-shadow:: +Ignore "shadow" map set by the profile. + EXAMPLES -------- * Enable NIS with no additional modules diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf index 4397deb1ef347d5cb8798926f553c373f8c15649..f5451657f3d8b988b633304d549a3242257715d3 100644 --- a/profiles/nis/nsswitch.conf +++ b/profiles/nis/nsswitch.conf @@ -1,14 +1,14 @@ -aliases: files nis -automount: files nis -ethers: files nis -group: files nis systemd -hosts: files nis dns myhostname -initgroups: files nis -netgroup: files nis -networks: files nis -passwd: files nis systemd -protocols: files nis -publickey: files nis -rpc: files nis -services: files nis -shadow: files nis +aliases: files nis {exclude if "with-custom-aliases"} +automount: files nis {exclude if "with-custom-automount"} +ethers: files nis {exclude if "with-custom-ethers"} +group: files nis systemd {exclude if "with-custom-group"} +hosts: files nis dns myhostname {exclude if "with-custom-hosts"} +initgroups: files nis {exclude if "with-custom-initgroups"} +netgroup: files nis {exclude if "with-custom-netgroup"} +networks: files nis {exclude if "with-custom-networks"} +passwd: files nis systemd {exclude if "with-custom-passwd"} +protocols: files nis {exclude if "with-custom-protocols"} +publickey: files nis {exclude if "with-custom-publickey"} +rpc: files nis {exclude if "with-custom-rpc"} +services: files nis {exclude if "with-custom-services"} +shadow: files nis {exclude if "with-custom-shadow"} \ No newline at end of file diff --git a/profiles/sssd/README b/profiles/sssd/README index a2fbf66323f4893391474de49f323c06123a2ebf..42293ab39c628c285921b8b47c4a763fd0215472 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -59,6 +59,32 @@ with-pamaccess:: without-nullok:: Do not add nullok parameter to pam_unix. +DISABLE SPECIFIC NSSWITCH DATABASES +----------------------------------- + +Normally, nsswitch databases set by the profile overwrites values set in +user-nsswitch.conf. The following options can force authselect to +ignore value set by the profile and use the one set in user-nsswitch.conf +instead. + +with-custom-passwd:: +Ignore "passwd" database set by the profile. + +with-custom-group:: +Ignore "group" database set by the profile. + +with-custom-netgroup:: +Ignore "netgroup" database set by the profile. + +with-custom-automount:: +Ignore "automount" database set by the profile. + +with-custom-services:: +Ignore "services" database set by the profile. + +with-custom-sudoers:: +Ignore "sudoers" database set by the profile. + EXAMPLES -------- diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf index 5d05102ee8836f5bbce5f0527b87b1559fbe664e..9734bbbe68e7cf73a4a560e3573162d353e551e8 100644 --- a/profiles/sssd/nsswitch.conf +++ b/profiles/sssd/nsswitch.conf @@ -1,6 +1,6 @@ -passwd: sss files systemd -group: sss files systemd -netgroup: sss files -automount: sss files -services: sss files -sudoers: files sss {include if "with-sudo"} +passwd: sss files systemd {exclude if "with-custom-passwd"} +group: sss files systemd {exclude if "with-custom-group"} +netgroup: sss files {exclude if "with-custom-netgroup"} +automount: sss files {exclude if "with-custom-automount"} +services: sss files {exclude if "with-custom-services"} +sudoers: files sss {include if "with-sudo"} diff --git a/profiles/winbind/README b/profiles/winbind/README index a824c7e78954bafffa6500e45a6e826835fd2b58..cd1606800d77eeb93be918f17fe47c2586b2519d 100644 --- a/profiles/winbind/README +++ b/profiles/winbind/README @@ -51,6 +51,20 @@ with-pamaccess:: without-nullok:: Do not add nullok parameter to pam_unix. +DISABLE SPECIFIC NSSWITCH DATABASES +----------------------------------- + +Normally, nsswitch databases set by the profile overwrites values set in +user-nsswitch.conf. The following options can force authselect to +ignore value set by the profile and use the one set in user-nsswitch.conf +instead. + +with-custom-passwd:: +Ignore "passwd" database set by the profile. + +with-custom-group:: +Ignore "group" database set by the profile. + EXAMPLES -------- * Enable winbind with no additional modules diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf index 3018a7526ece30236969ce69dce729998c9a57de..8a23bd71935eb26c5093e4b2080b1d91b6de5582 100644 --- a/profiles/winbind/nsswitch.conf +++ b/profiles/winbind/nsswitch.conf @@ -1,2 +1,2 @@ -passwd: files winbind systemd -group: files winbind systemd +passwd: files winbind systemd {exclude if "with-custom-passwd"} +group: files winbind systemd {exclude if "with-custom-group"} -- 2.17.1