Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)

It can be now enabled with 'authselect select sssd with-sudo', see [1] for details. [1] 4b1981a672
2018-05-14 10:40:55 +02:00 · 2018-05-14 10:40:55 +02:00 · 8917ef788c
commit 8917ef788c
parent f986dbf31b
2 changed files with 49 additions and 1 deletions
--- a/0002-sssd-disable-sudo-by-default.patch
+++ b/0002-sssd-disable-sudo-by-default.patch
@ -0,0 +1,43 @@
+From 4b1981a67216f56e67cff3887fe38ee8063ee0b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 9 May 2018 14:27:56 +0200
+Subject: [PATCH] sssd: disable sudo by default
+
+SSSD's sudo responder is not enabled by default on Fedora systems,
+therefore having it enabled in nsswitch.conf produced warnings in
+logs or sudo mails.
+---
+ profiles/sssd/README        | 3 +++
+ profiles/sssd/nsswitch.conf | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/profiles/sssd/README b/profiles/sssd/README
+index d2e104f80ce1c1993c683f5c5331f09e8afa1ee9..a7e6e640eefa1268586169b7349e8ed6d062066f 100644
+--- a/profiles/sssd/README
+++ b/profiles/sssd/README
+@@ -50,6 +50,9 @@ with-fingerprint::
+ with-silent-lastlog::
+     Do not produce pam_lastlog message during login.
+ 
+with-sudo::
+    Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
+
+ EXAMPLES
+ --------
+ 
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index fa5d76a9594dca9b9e192af7774600451557e5c5..cde7964a8531ae2b5e28ed6bf5428731b80b6ece 100644
+--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
+@@ -3,7 +3,7 @@ group:      sss files
+ netgroup:   sss files
+ automount:  sss files
+ services:   sss files
+-sudoers:    files sss
+sudoers:    files {if "with-sudo":sss}
+ 
+ shadow:     files
+ ethers:     files
+-- 
+2.14.3
+
--- a/authselect.spec
+++ b/authselect.spec
@ -1,6 +1,6 @@
 Name:           authselect
 Version:        0.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Configures authentication and identity sources from supported profiles
 URL:            https://github.com/pbrezina/authselect

@ -8,6 +8,7 @@ License:        GPLv3+
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz

 Patch1:         0001-Don-t-disable-oddjobd.service.patch
+Patch2:         0002-sssd-disable-sudo-by-default.patch

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -74,6 +75,7 @@ you develop a front-end for the authselect library.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1


 %build
@ -175,6 +177,9 @@ fi
 exit 0

 %changelog
+* Wed May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
+- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
+
 * Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
 - Don't disable oddjobd.service (RHBZ #1571844)