From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 18 Feb 2021 13:38:53 +0100 Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups The passwd and group databases will now default to files first. The order "sss files" can be enabled with "with-files-provider" feature. --- profiles/sssd/README | 5 +++++ profiles/sssd/REQUIREMENTS | 4 ++++ profiles/sssd/nsswitch.conf | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/profiles/sssd/README b/profiles/sssd/README index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -76,6 +76,11 @@ with-sudo:: with-pamaccess:: Check access.conf during account authorization. +with-files-domain:: + If set, SSSD will be contacted before "files" when resolving users and + groups. The order in nsswitch.conf will be set to "sss files" instead of + "files sss" for passwd and group maps. + with-files-access-provider:: If set, account management for local users is handled also by pam_sss. This is needed if there is an explicitly configured domain with id_provider=files diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644 --- a/profiles/sssd/REQUIREMENTS +++ b/profiles/sssd/REQUIREMENTS @@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} is present and oddjobd service is enabled and active {include if "with-mkhomedir"} - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} + {include if "with-files-domain"} +- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} + - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} + - or create a custom domain with id_provider=files {include if "with-files-domain"} \ No newline at end of file diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644 --- a/profiles/sssd/nsswitch.conf +++ b/profiles/sssd/nsswitch.conf @@ -1,5 +1,5 @@ -passwd: sss files systemd {exclude if "with-custom-passwd"} -group: sss files systemd {exclude if "with-custom-group"} +passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} +group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} netgroup: sss files {exclude if "with-custom-netgroup"} automount: sss files {exclude if "with-custom-automount"} services: sss files {exclude if "with-custom-services"} -- 2.29.2