Re: How to get proper nsswitch.conf?

Mon, 17 Feb 2020 02:25:50 -0800 

On 2/14/20 8:19 PM, Michael Catanzaro wrote:
On Thu, Feb 13, 2020 at 7:13 pm, Michael Catanzaro <mcatanz...@gnome.org> wrote: 
Why don't we have mymachines here?


This is systemd module, right? There was some discussion about it in:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P/#PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P


I don't really have all the information but apparently there are some 
collisions with LDAP/FreeIPA and is not supposed to be enabled by default.



Next question, I have:

passwd: sss files systemd
shadow: files sss
group: sss files systemd


The difference is that authselect doesn't write the shadow line [1], 
that one is coming from our glibc [2]. (glibc is already patched to 
enable sssd.) That inconsistency seems odd; shouldn't authselect be 
modifying the shadow line as well?



SSSD does not support shadow therefore it is not added by authselect. 
IMHO it should be removed from glibc nsswitch.conf as well.



Then it also doesn't make sense that we put files before sss in half the 
lines, and sss before files in the other half.



Basically only passwd and group needs to have sss consulted first 
because SSSD now handles local users as well and this way will glibc 
first consults SSSD in-memory cache before reading from disk.



It does not matter with the other maps. It makes sense to me to have 
SSSD first because nowadays if you are joined to a remote domain you 
have these maps served by SSSD from LDAP then having the configuration 
in files, at least in enterprise scenarios.



sudoers have files first because there is always /etc/sudoers with at 
least %wheel so it makes sense to read it first.





[1] 
https://github.com/pbrezina/authselect/blob/master/profiles/sssd/nsswitch.conf 

[2] 
https://src.fedoraproject.org/rpms/glibc/blob/master/f/glibc-fedora-nsswitch.patch 





_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org






















					Reply via email to