Re: How to get proper nsswitch.conf?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Feb 17, 2020 at 11:24 am, Pavel Březina <pbrezina@xxxxxxxxxx> wrote: 
This is systemd module, right? There was some discussion about it in:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P/#PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P
I don't really have all the information but apparently there are some collisions with LDAP/FreeIPA and is not supposed to be enabled by default. 

Thanks, this is good to know.


Next question, I have:

passwd: sss files systemd
shadow: files sss
group: sss files systemd
The difference is that authselect doesn't write the shadow line [1], that one is coming from our glibc [2]. (glibc is already patched to enable sssd.) That inconsistency seems odd; shouldn't authselect be modifying the shadow line as well?
SSSD does not support shadow therefore it is not added by authselect. IMHO it should be removed from glibc nsswitch.conf as well. 

OK: https://src.fedoraproject.org/rpms/glibc/pull-request/17
Then it also doesn't make sense that we put files before sss in half the lines, and sss before files in the other half.
Basically only passwd and group needs to have sss consulted first because SSSD now handles local users as well and this way will glibc first consults SSSD in-memory cache before reading from disk.
It does not matter with the other maps. It makes sense to me to have SSSD first because nowadays if you are joined to a remote domain you have these maps served by SSSD from LDAP then having the configuration in files, at least in enterprise scenarios.
sudoers have files first because there is always /etc/sudoers with at least %wheel so it makes sense to read it first. 

Thanks for the info,

Michael

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux