From c25c89f98a131a4a3a44a7b8c16c448137a54419 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 9 Jun 2021 12:35:37 +0200 Subject: [PATCH] rhel9: remove nis support NIS is no longer supported in RHEL9. --- profiles/Makefile.am | 13 ---- profiles/nis/README | 111 ---------------------------- profiles/nis/REQUIREMENTS | 13 ---- profiles/nis/dconf-db | 3 - profiles/nis/dconf-locks | 2 - profiles/nis/fingerprint-auth | 19 ----- profiles/nis/nsswitch.conf | 14 ---- profiles/nis/password-auth | 23 ------ profiles/nis/postlogin | 4 - profiles/nis/system-auth | 24 ------ rpm/authselect.spec.in | 10 --- src/compat/authcompat.py.in.in | 95 ------------------------ src/compat/authcompat_Options.py | 8 +- src/man/authselect-migration.7.adoc | 2 +- 14 files changed, 6 insertions(+), 335 deletions(-) delete mode 100644 profiles/nis/README delete mode 100644 profiles/nis/REQUIREMENTS delete mode 100644 profiles/nis/dconf-db delete mode 100644 profiles/nis/dconf-locks delete mode 100644 profiles/nis/fingerprint-auth delete mode 100644 profiles/nis/nsswitch.conf delete mode 100644 profiles/nis/password-auth delete mode 100644 profiles/nis/postlogin delete mode 100644 profiles/nis/system-auth diff --git a/profiles/Makefile.am b/profiles/Makefile.am index 5dfab8047fc956babe47180601a0336c0a55d15f..c7d1b7c50748790c954e233926f233d82c8028c0 100644 --- a/profiles/Makefile.am +++ b/profiles/Makefile.am @@ -11,19 +11,6 @@ dist_profile_minimal_DATA = \ $(top_srcdir)/profiles/minimal/system-auth \ $(NULL) -profile_nisdir = $(authselect_profile_dir)/nis -dist_profile_nis_DATA = \ - $(top_srcdir)/profiles/nis/nsswitch.conf \ - $(top_srcdir)/profiles/nis/password-auth \ - $(top_srcdir)/profiles/nis/postlogin \ - $(top_srcdir)/profiles/nis/README \ - $(top_srcdir)/profiles/nis/REQUIREMENTS \ - $(top_srcdir)/profiles/nis/system-auth \ - $(top_srcdir)/profiles/nis/fingerprint-auth \ - $(top_srcdir)/profiles/nis/dconf-db \ - $(top_srcdir)/profiles/nis/dconf-locks \ - $(NULL) - profile_sssddir = $(authselect_profile_dir)/sssd dist_profile_sssd_DATA = \ $(top_srcdir)/profiles/sssd/nsswitch.conf \ diff --git a/profiles/nis/README b/profiles/nis/README deleted file mode 100644 index cac3428bf844b0a9d251015988583f4c1b15c3c9..0000000000000000000000000000000000000000 --- a/profiles/nis/README +++ /dev/null @@ -1,111 +0,0 @@ -Enable NIS for system authentication -==================================== - -Selecting this profile will enable Network Information Services as the source -of identity and authentication providers. - -NIS CONFIGURATION ------------------ - -Authselect does not touch NIS configuration. Please, read NIS' documentation -to see how to configure it manually. - -AVAILABLE OPTIONAL FEATURES ---------------------------- - -with-faillock:: - Enable account locking in case of too many consecutive - authentication failures. - -with-mkhomedir:: - Enable automatic creation of home directories for users on their - first login. - -with-fingerprint:: - Enable authentication with fingerprint reader through *pam_fprintd*. - -with-pam-u2f:: - Enable authentication via u2f dongle through *pam_u2f*. - -with-pam-u2f-2fa:: - Enable 2nd factor authentication via u2f dongle through *pam_u2f*. - -without-pam-u2f-nouserok:: - Module argument nouserok is omitted if also with-pam-u2f-2fa is used. - *WARNING*: Omitting nouserok argument means that users without pam-u2f - authentication configured will not be able to log in *INCLUDING* root. - Make sure you are able to log in before losing root privileges. - -with-silent-lastlog:: - Do not produce pam_lastlog message during login. - -with-pamaccess:: - Check access.conf during account authorization. - -with-nispwquality:: - If this option is set pam_pwquality module will check password quality - for NIS users as well as local users during password change. Without this - option only local users passwords are checked. - -without-nullok:: - Do not add nullok parameter to pam_unix. - -DISABLE SPECIFIC NSSWITCH DATABASES ------------------------------------ - -Normally, nsswitch databases set by the profile overwrites values set in -user-nsswitch.conf. The following options can force authselect to -ignore value set by the profile and use the one set in user-nsswitch.conf -instead. - -with-custom-aliases:: -Ignore "aliases" map set by the profile. - -with-custom-automount:: -Ignore "automount" map set by the profile. - -with-custom-ethers:: -Ignore "ethers" map set by the profile. - -with-custom-group:: -Ignore "group" map set by the profile. - -with-custom-hosts:: -Ignore "hosts" map set by the profile. - -with-custom-initgroups:: -Ignore "initgroups" map set by the profile. - -with-custom-netgroup:: -Ignore "netgroup" map set by the profile. - -with-custom-networks:: -Ignore "networks" map set by the profile. - -with-custom-passwd:: -Ignore "passwd" map set by the profile. - -with-custom-protocols:: -Ignore "protocols" map set by the profile. - -with-custom-publickey:: -Ignore "publickey" map set by the profile. - -with-custom-rpc:: -Ignore "rpc" map set by the profile. - -with-custom-services:: -Ignore "services" map set by the profile. - -with-custom-shadow:: -Ignore "shadow" map set by the profile. - -EXAMPLES --------- -* Enable NIS with no additional modules - - authselect select nis - -* Enable NIS and create home directories for users on their first login - - authselect select nis with-mkhomedir diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS deleted file mode 100644 index c58aa2789f4ef064b7904cacf4fc3158dce7ad41..0000000000000000000000000000000000000000 --- a/profiles/nis/REQUIREMENTS +++ /dev/null @@ -1,13 +0,0 @@ -Make sure that NIS service is configured and enabled. See NIS documentation for more information. - {include if "with-fingerprint"} -- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} - {include if "with-pam-u2f"} -- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} - - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} - {include if "with-pam-u2f-2fa"} -- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} - - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} - {include if "with-mkhomedir"} -- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} - is present and oddjobd service is enabled and active {include if "with-mkhomedir"} - - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db deleted file mode 100644 index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000 --- a/profiles/nis/dconf-db +++ /dev/null @@ -1,3 +0,0 @@ -[org/gnome/login-screen] -enable-smartcard-authentication=false -enable-fingerprint-authentication={if "with-fingerprint":true|false} diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks deleted file mode 100644 index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000 --- a/profiles/nis/dconf-locks +++ /dev/null @@ -1,2 +0,0 @@ -/org/gnome/login-screen/enable-smartcard-authentication -/org/gnome/login-screen/enable-fingerprint-authentication diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth deleted file mode 100644 index eebec6d0d6edeae6a3eb224f0ff284016b0fc642..0000000000000000000000000000000000000000 --- a/profiles/nis/fingerprint-auth +++ /dev/null @@ -1,19 +0,0 @@ -{continue if "with-fingerprint"} -auth required pam_env.so -auth required pam_faillock.so preauth silent {include if "with-faillock"} -auth sufficient pam_fprintd.so -auth required pam_faillock.so authfail {include if "with-faillock"} -auth required pam_deny.so - -account required pam_access.so {include if "with-pamaccess"} -account required pam_faillock.so {include if "with-faillock"} -account required pam_unix.so broken_shadow - -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf deleted file mode 100644 index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000 --- a/profiles/nis/nsswitch.conf +++ /dev/null @@ -1,14 +0,0 @@ -aliases: files nis {exclude if "with-custom-aliases"} -automount: files nis {exclude if "with-custom-automount"} -ethers: files nis {exclude if "with-custom-ethers"} -group: files nis systemd {exclude if "with-custom-group"} -hosts: files nis dns myhostname {exclude if "with-custom-hosts"} -initgroups: files nis {exclude if "with-custom-initgroups"} -netgroup: files nis {exclude if "with-custom-netgroup"} -networks: files nis {exclude if "with-custom-networks"} -passwd: files nis systemd {exclude if "with-custom-passwd"} -protocols: files nis {exclude if "with-custom-protocols"} -publickey: files nis {exclude if "with-custom-publickey"} -rpc: files nis {exclude if "with-custom-rpc"} -services: files nis {exclude if "with-custom-services"} -shadow: files nis {exclude if "with-custom-shadow"} diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth deleted file mode 100644 index 9a8ae9cde644a4ac981f4b9553af2f0f428bfebb..0000000000000000000000000000000000000000 --- a/profiles/nis/password-auth +++ /dev/null @@ -1,23 +0,0 @@ -auth required pam_env.so -auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent {include if "with-faillock"} -auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} -auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass -auth required pam_faillock.so authfail {include if "with-faillock"} -auth required pam_deny.so - -account required pam_access.so {include if "with-pamaccess"} -account required pam_faillock.so {include if "with-faillock"} -account required pam_unix.so broken_shadow - -password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin deleted file mode 100644 index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000 --- a/profiles/nis/postlogin +++ /dev/null @@ -1,4 +0,0 @@ -session optional pam_umask.so silent -session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -session optional pam_lastlog.so silent noupdate showfailed diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth deleted file mode 100644 index 2e7462983d35e4a2f5cef8151ed53baaf7e5c790..0000000000000000000000000000000000000000 --- a/profiles/nis/system-auth +++ /dev/null @@ -1,24 +0,0 @@ -auth required pam_env.so -auth required pam_faildelay.so delay=2000000 -auth required pam_faillock.so preauth silent {include if "with-faillock"} -auth sufficient pam_fprintd.so {include if "with-fingerprint"} -auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} -auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass -auth required pam_faillock.so authfail {include if "with-faillock"} -auth required pam_deny.so - -account required pam_access.so {include if "with-pamaccess"} -account required pam_faillock.so {include if "with-faillock"} -account required pam_unix.so broken_shadow - -password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a71207f66 100644 --- a/rpm/authselect.spec.in +++ b/rpm/authselect.spec.in @@ -155,7 +155,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %dir %{_datadir}/authselect/vendor %dir %{_datadir}/authselect/default %dir %{_datadir}/authselect/default/minimal/ -%dir %{_datadir}/authselect/default/nis/ %dir %{_datadir}/authselect/default/sssd/ %dir %{_datadir}/authselect/default/winbind/ %{_datadir}/authselect/default/minimal/nsswitch.conf @@ -164,15 +163,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %{_datadir}/authselect/default/minimal/README %{_datadir}/authselect/default/minimal/REQUIREMENTS %{_datadir}/authselect/default/minimal/system-auth -%{_datadir}/authselect/default/nis/dconf-db -%{_datadir}/authselect/default/nis/dconf-locks -%{_datadir}/authselect/default/nis/fingerprint-auth -%{_datadir}/authselect/default/nis/nsswitch.conf -%{_datadir}/authselect/default/nis/password-auth -%{_datadir}/authselect/default/nis/postlogin -%{_datadir}/authselect/default/nis/README -%{_datadir}/authselect/default/nis/REQUIREMENTS -%{_datadir}/authselect/default/nis/system-auth %{_datadir}/authselect/default/sssd/dconf-db %{_datadir}/authselect/default/sssd/dconf-locks %{_datadir}/authselect/default/sssd/fingerprint-auth diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90da8e217e 100755 --- a/src/compat/authcompat.py.in.in +++ b/src/compat/authcompat.py.in.in @@ -240,20 +240,6 @@ class Configuration: config.write(keys) - class Network(Base): - def __init__(self, options): - super(Configuration.Network, self).__init__(options) - - def write(self): - nisdomain = self.get("nisdomain") - config = EnvironmentFile(Path.System('network')) - - if nisdomain is None: - return - - config.set("NISDOMAIN", nisdomain) - config.write() - class SSSD(Base): def __init__(self, options): super(Configuration.SSSD, self).__init__(options, ServiceName="sssd") @@ -375,83 +361,6 @@ class Configuration: # other applications may depend on it. return - class NIS(Base): - def __init__(self, options): - super(Configuration.NIS, self).__init__(options) - self.rpcbind = Service("rpcbind") - self.ypbind = Service("ypbind") - - def isEnabled(self): - if not self.isset("nis"): - return None - - return self.getBool("nis") - - def enableService(self, nostart): - if not self.isset("nisdomain"): - return - - nisdom = self.get("nisdomain") - - if not nostart: - cmd = Command(Path.System('cmd-domainname'), [nisdom]) - cmd.run() - - cmd = Command(Path.System('cmd-setsebool'), - ['-P', 'allow_ypbind', '1']) - cmd.run() - - self.rpcbind.enable() - self.ypbind.enable() - - if not nostart: - self.rpcbind.start(Restart=False) - self.ypbind.start() - - def disableService(self, nostop): - if not nostop: - cmd = Command(Path.System('cmd-domainname'), ["(none)"]) - cmd.run() - - cmd = Command(Path.System('cmd-setsebool'), - ['-P', 'allow_ypbind', '0']) - cmd.run() - - self.rpcbind.disable() - self.ypbind.disable() - - if not nostop: - self.rpcbind.stop() - self.ypbind.stop() - - def write(self): - if not self.isset("nisdomain"): - return - - output = "domain " + self.get("nisdomain") - - additional_servers = [] - if self.isset("nisserver"): - servers = self.get("nisserver").split(",") - additional_servers = servers[1:] - output += " server " + servers[0] + "\n" - else: - output += " broadcast\n" - - for server in additional_servers: - output += "ypserver " + server + "\n" - - filename = Path.System('yp.conf') - if self.getBool("test-call"): - print("========== BEGIN Content of [%s] ==========" % filename) - print(output) - print("========== END Content of [%s] ==========\n" % filename) - return - - with open(filename, "w") as f: - f.write(output) - - class AuthCompat: def __init__(self): self.sysconfig = EnvironmentFile(Path.System('authconfig')) @@ -533,8 +442,6 @@ class AuthCompat: if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or self.options.getBool("sssd") or self.options.getBool("sssdauth")): profile = "sssd" - elif self.options.getBool("nis"): - profile = "nis" elif self.options.getBool("winbind"): profile = "winbind" @@ -591,13 +498,11 @@ class AuthCompat: def writeConfiguration(self): configs = [ Configuration.LDAP(self.options), - Configuration.Network(self.options), Configuration.Kerberos(self.options), Configuration.SSSD(self.options), Configuration.Winbind(self.options), Configuration.PWQuality(self.options), Configuration.MakeHomedir(self.options), - Configuration.NIS(self.options) ] for config in configs: diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py index 433a3340bac29739174e78928701214c08ec6f3c..2712d85a377ee92c7816e3d2284302307084b0c4 100644 --- a/src/compat/authcompat_Options.py +++ b/src/compat/authcompat_Options.py @@ -79,9 +79,6 @@ class Options: # However, they will just make sure that an authentication against # expected service is working. They may not result in the exact same # configuration as authconfig would generate. - Option.Feature("nis", _("NIS for user information by default")), - Option.Valued ("nisdomain", _(""), _("default NIS domain")), - Option.Valued ("nisserver", _(""), _("default NIS server")), Option.Feature("ldap", _("LDAP for user information by default")), Option.Feature("ldapauth", _("LDAP for authentication by default")), Option.Valued ("ldapserver", _(""), _("default LDAP server hostname or URI")), @@ -164,6 +161,11 @@ class Options: Option.UnsupportedFeature("locauthorize"), Option.UnsupportedFeature("sysnetauth"), Option.UnsupportedValued ("faillockargs", _("")), + + # NIS is no longer supported + Option.UnsupportedFeature("nis"), + Option.UnsupportedValued ("nisdomain", _("")), + Option.UnsupportedValued ("nisserver", _("")), ] Map = { diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166983e02d5 100644 --- a/src/man/authselect-migration.7.adoc +++ b/src/man/authselect-migration.7.adoc @@ -72,7 +72,7 @@ configuration file for required services. |--enablesssd --enablesssdauth |sssd |--enablekrb5 |sssd |--enablewinbind --enablewinbindauth |winbind -|--enablenis |nis +|--enablenis |none |========================================================= .Relation of authconfig options to authselect profile features -- 2.20.1