On 05/18/2017 09:24 AM, Nico Kadel-Garcia wrote: > On Thu, May 18, 2017 at 6:17 AM, Jakub Hrozek <jhro...@redhat.com> wrote: >> On Tue, May 16, 2017 at 08:20:49AM -0400, Stephen Gallagher wrote: > >>> Yes, authconfig is *not* a good tool for managing centralized authentication >>> services and its upstream has been unable to keep up with the changing >>> needs of >>> the system. That's why work is under way to replace it with more robust >>> tools. I >>> think Jakub can talk more about that. >> >> Yeah, there is a project in a fairly early stage (so, we don't even have >> a Fedora Change page yet, but we need to file one for F-27) to replace >> authconfig. >> >> The basic idea is that instead of trying to generate a nss/pam stack >> based on what the admin called authconfig with (and hope for the best) >> the tool would include a curated and well tested set of stacks to support >> the common configuration types. > > Cool. I'd love to see, for example "sss" not even listed in the > equivalent of /etc/nsswitch.conf for systems that haven't specifically > enabled any service that actually uses LDAP. Currently, the stack > relies on authconfig turning *off* the sssd daemon. I'd prefer to see > it listed there only if there's actually anything configured to use > it.
That's a perfectly reasonable request. I think it's fair to say that if no central user management is required, it's reasonable that our default would be to drop 'sss' from nsswitch.conf and turn nscd back on (to avoid I/O lookups on the local files). Though if we do that, I'd still like to see some daemon *somewhere* monitoring the files and flushing the nscd cache if they are modified, because an outdated nscd cache is one of the hardest things for an end-user to debug because there's really nowhere that can log it.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
