From 4b1981a67216f56e67cff3887fe38ee8063ee0b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 May 2018 14:27:56 +0200
Subject: [PATCH] sssd: disable sudo by default

SSSD's sudo responder is not enabled by default on Fedora systems,
therefore having it enabled in nsswitch.conf produced warnings in
logs or sudo mails.
---
 profiles/sssd/README        | 3 +++
 profiles/sssd/nsswitch.conf | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/profiles/sssd/README b/profiles/sssd/README
index d2e104f80ce1c1993c683f5c5331f09e8afa1ee9..a7e6e640eefa1268586169b7349e8ed6d062066f 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -50,6 +50,9 @@ with-fingerprint::
 with-silent-lastlog::
     Do not produce pam_lastlog message during login.
 
+with-sudo::
+    Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
+
 EXAMPLES
 --------
 
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index fa5d76a9594dca9b9e192af7774600451557e5c5..cde7964a8531ae2b5e28ed6bf5428731b80b6ece 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -3,7 +3,7 @@ group:      sss files
 netgroup:   sss files
 automount:  sss files
 services:   sss files
-sudoers:    files sss
+sudoers:    files {if "with-sudo":sss}
 
 shadow:     files
 ethers:     files
-- 
2.14.3