59 lines
3.2 KiB
Diff
59 lines
3.2 KiB
Diff
|
From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||
|
|
Date: Thu, 18 Feb 2021 13:38:53 +0100
|
||
|
|
Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups
|
||
|
|
|
||
|
|
The passwd and group databases will now default to files first.
|
||
|
|
The order "sss files" can be enabled with "with-files-provider"
|
||
|
|
feature.
|
||
|
|
---
|
||
|
|
profiles/sssd/README | 5 +++++
|
||
|
|
profiles/sssd/REQUIREMENTS | 4 ++++
|
||
|
|
profiles/sssd/nsswitch.conf | 4 ++--
|
||
|
|
3 files changed, 11 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
||
|
|
index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644
|
||
|
|
--- a/profiles/sssd/README
|
||
|
|
+++ b/profiles/sssd/README
|
||
|
|
@@ -76,6 +76,11 @@ with-sudo::
|
||
|
|
with-pamaccess::
|
||
|
|
Check access.conf during account authorization.
|
||
|
|
|
||
|
|
+with-files-domain::
|
||
|
|
+ If set, SSSD will be contacted before "files" when resolving users and
|
||
|
|
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
|
||
|
|
+ "files sss" for passwd and group maps.
|
||
|
|
+
|
||
|
|
with-files-access-provider::
|
||
|
|
If set, account management for local users is handled also by pam_sss. This
|
||
|
|
is needed if there is an explicitly configured domain with id_provider=files
|
||
|
|
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
|
||
|
|
index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644
|
||
|
|
--- a/profiles/sssd/REQUIREMENTS
|
||
|
|
+++ b/profiles/sssd/REQUIREMENTS
|
||
|
|
@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
|
||
|
|
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
|
||
|
|
is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
|
||
|
|
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
|
||
|
|
+ {include if "with-files-domain"}
|
||
|
|
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
|
||
|
|
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
|
||
|
|
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
|
||
|
|
\ No newline at end of file
|
||
|
|
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
|
||
|
|
index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644
|
||
|
|
--- a/profiles/sssd/nsswitch.conf
|
||
|
|
+++ b/profiles/sssd/nsswitch.conf
|
||
|
|
@@ -1,5 +1,5 @@
|
||
|
|
-passwd: sss files systemd {exclude if "with-custom-passwd"}
|
||
|
|
-group: sss files systemd {exclude if "with-custom-group"}
|
||
|
|
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
|
||
|
|
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
|
||
|
|
netgroup: sss files {exclude if "with-custom-netgroup"}
|
||
|
|
automount: sss files {exclude if "with-custom-automount"}
|
||
|
|
services: sss files {exclude if "with-custom-services"}
|
||
|
|
--
|
||
|
|
2.29.2
|
||
|
|
|