On 05/15/2017 11:30 AM, Jakub Hrozek wrote: > On Mon, May 15, 2017 at 05:22:14PM +0200, Tomas Mraz wrote: >> On Mon, 2017-05-15 at 17:15 +0200, Jakub Hrozek wrote: >>> On Mon, May 15, 2017 at 04:35:56PM +0200, Tomas Mraz wrote: >>>> My current Fedora 26 default nsswitch.conf contains these lines: >>>> >>>> passwd: sss files systemd >>>> shadow: files sss >>>> group: sss files systemd >>>> >>>> Not sure which package created this configuration, but: >>>> >>>> * Where is the consistency? >>>> * Where is the Fedora Change page that talks about these >>>> modifications >>>> of fairly critical systemwide configuration file? >>>> * From which time systemd started to manage user accounts of the >>>> machine, again where is the Fedora Change page for such change? >>> Is this what you are looking for? >>> https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers >>> >>> That page says: >>> """ >>> This change proposes leveraging a new "files" provider SSSD will ship >>> in >>> the next version in order to resolve also users from the local files. >>> That way, the "sss" NSS module can be configured before the files >>> module >>> in nsswitch.conf and the system could leverage sss_nss caching for >>> both >>> local and remote users. >>> """ >> The questions still hold for the consistency between passwd and shadow >> and also for the systemd module present. > Since sssd doesn't handle the password map, being consistent there in > the ordering sense (sss before files) wouldn't make much sense, because > the nss module functions for the shadow map are not even implemented in > nss_sss. We could even omit the sss module from that map altogether.
The only historical reason it is there is because authconfig didn't differentiate them; it made all changes to shadow identically to passwd. I don't know if that's still the case, but I'm pretty sure it was when we first added SSSD support to authconfig. It's not harmful, since the SSSD client just immediately returns with an appropriate NSS error code if it's asked for any shadow map function.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
