!31 [sync] PR-30: 【openEuler-22.03-LTS】Fix the failure of login by root

From: @openeuler-sync-bot 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1

authselect.spec

@@ -1,12 +1,15 @@
 Name:          authselect
 Version:       1.2.4
-Release:       2
+Release:       7
 Summary:       A tool to select system authentication and identity sources from a list of supported profiles
 License:       GPLv3+
 URL:           https://github.com/authselect/authselect
 Source0:       https://github.com/authselect/authselect/archive/%{version}/%{name}-%{version}.tar.gz
 
 Patch0:        authselect-revert-remove-authselect-compat-package.patch
+Patch1:        backport-main-Drop-an-unnecessary-NULL-check-before-free.patch
+Patch2:        backport-cli-fix-memory-handling-with-new-popt-library.patch
+Patch3:        backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch
 
 BuildRequires: autoconf gettext-devel automake libtool popt-devel libcmocka-devel
 BuildRequires: m4 gcc pkgconfig pkgconfig(popt) po4a asciidoc python3-devel
@@ -79,6 +82,8 @@ autoreconf -ivf
 %postun -n %{name} -p /sbin/ldconfig
 
 %files
+%dir %{_sysconfdir}/authselect
+%dir %{_sysconfdir}/authselect/custom
 %defattr(-,root,root)
 %license COPYING
 %{_bindir}/authselect
@@ -101,6 +106,7 @@ autoreconf -ivf
 %files help
 %defattr(-,root,root)
 %{_datadir}/doc/authselect/*
+%exclude %{_datadir}/doc/authselect/README.md
 %{_mandir}/*
 
 %posttrans compat
@@ -108,7 +114,22 @@ sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwq
 exit 0
 
 %changelog
-* Fri Jan 14 2021 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-2
+* Tue May 30 2023 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-7
+- fix the failure of login by root
+
+* Mon Aug 15 2022 panxiaohe <panxh.life@foxmail.com> - 1.2.4-6
+- cli: fix memory handling with new popt library
+
+* Sun May 15 2022 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-5
+- provide default directory /etc/authselect
+
+* Fri Apr 29 2022 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-4
+- delete duplicate file README.md from authselect-help
+
+* Mon Mar 21 2022 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-3
+- fix change date for version 1.2.4-2 in changelog
+
+* Fri Jan 14 2022 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-2
 - revert "remove authselect compat package"
 
 * Tue Nov 30 2021 yixiangzhike <yixiangzhike007@163.com> - 1.2.4-1

backport-cli-fix-memory-handling-with-new-popt-library.patch

@@ -0,0 +1,442 @@
+From 35643637c2964e9dd1a459fd76076b088219c117 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Tue, 28 Jun 2022 11:07:18 +0200
+Subject: [PATCH] cli: fix memory handling with new popt library
+
+This patch makes a copy of the string returned by popt so
+the string can be safely used after releasing popt context.
+
+Resolves: https://github.com/authselect/authselect/issues/313
+---
+ src/cli/cli_tool.c |  19 +++++++-
+ src/cli/cli_tool.h |   2 +-
+ src/cli/main.c     | 109 ++++++++++++++++++++++++++++-----------------
+ 3 files changed, 86 insertions(+), 44 deletions(-)
+
+diff --git a/src/cli/cli_tool.c b/src/cli/cli_tool.c
+index 83bc1ef..7cf0d45 100644
+--- a/src/cli/cli_tool.c
++++ b/src/cli/cli_tool.c
+@@ -301,7 +301,7 @@ errno_t cli_tool_popt_ex(struct cli_cmdline *cmdline,
+                          void *popt_fn_pvt,
+                          const char *fopt_name,
+                          const char *fopt_help,
+-                         const char **_fopt,
++                         char **_fopt,
+                          bool allow_more_free_opts,
+                          bool *_opt_set)
+ {
+@@ -319,6 +319,11 @@ errno_t cli_tool_popt_ex(struct cli_cmdline *cmdline,
+     bool opt_set;
+     int ret;
+ 
++    /* Set output parameter _fopt to NULL value if present. */
++    if (_fopt != NULL) {
++        *_fopt = NULL;
++    }
++
+     /* Create help option string. We always need to append command name since
+      * we use POPT_CONTEXT_KEEP_FIRST. */
+     if (fopt_name == NULL) {
+@@ -379,7 +384,12 @@ errno_t cli_tool_popt_ex(struct cli_cmdline *cmdline,
+             }
+         }
+ 
+-        *_fopt = fopt;
++        *_fopt = strdup(fopt);
++        if (*_fopt == NULL) {
++            ERROR("Out of memory!");
++            ret = ENOMEM;
++            goto done;
++        }
+     } else if (_fopt == NULL && fopt != NULL) {
+         /* Unexpected free argument. */
+         fprintf(stderr, _("Unexpected parameter: %s\n\n"), fopt);
+@@ -410,6 +420,11 @@ errno_t cli_tool_popt_ex(struct cli_cmdline *cmdline,
+ done:
+     poptFreeContext(pc);
+     free(help);
++    if (ret != EOK && _fopt != NULL) {
++        free(*_fopt);
++        *_fopt = NULL;
++    }
++
+     return ret;
+ }
+ 
+diff --git a/src/cli/cli_tool.h b/src/cli/cli_tool.h
+index a52260f..b3b361c 100644
+--- a/src/cli/cli_tool.h
++++ b/src/cli/cli_tool.h
+@@ -68,7 +68,7 @@ errno_t cli_tool_popt_ex(struct cli_cmdline *cmdline,
+                          void *popt_fn_pvt,
+                          const char *fopt_name,
+                          const char *fopt_help,
+-                         const char **_fopt,
++                         char **_fopt,
+                          bool allow_more_free_opts,
+                          bool *_opt_set);
+ 
+diff --git a/src/cli/main.c b/src/cli/main.c
+index afe1009..18486b5 100644
+--- a/src/cli/main.c
++++ b/src/cli/main.c
+@@ -61,15 +61,17 @@ list_max_length(char **list)
+ static errno_t
+ parse_profile_options(struct cli_cmdline *cmdline,
+                       struct poptOption *options,
+-                      const char **_profile_id,
++                      char **_profile_id,
+                       const char ***_features)
+ {
+-    const char *profile_id;
++    char *profile_id;
+     const char **features;
+     bool profile_skipped;
+     errno_t ret;
+     int i, j;
+ 
++    *_profile_id = NULL;
++
+     ret = cli_tool_popt_ex(cmdline, options, CLI_TOOL_OPT_OPTIONAL,
+                            NULL, NULL, "PROFILE-ID", _("Profile identifier."),
+                            &profile_id, true, NULL);
+@@ -80,6 +82,7 @@ parse_profile_options(struct cli_cmdline *cmdline,
+ 
+     features = malloc_zero_array(const char *, cmdline->argc);
+     if (features == NULL) {
++        free(profile_id);
+         return ENOMEM;
+     }
+ 
+@@ -143,7 +146,7 @@ static errno_t activate(struct cli_cmdline *cmdline)
+ {
+     struct authselect_profile *profile = NULL;
+     const char **features = NULL;
+-    const char *profile_id;
++    char *profile_id = NULL;
+     char *requirements = NULL;
+     char *backup_name = NULL;
+     char **maps = NULL;
+@@ -232,6 +235,7 @@ done:
+     authselect_array_free(maps);
+     authselect_profile_free(profile);
+     free(features);
++    free(profile_id);
+ 
+     return ret;
+ }
+@@ -428,7 +432,7 @@ done:
+ static errno_t list_features(struct cli_cmdline *cmdline)
+ {
+     struct authselect_profile *profile;
+-    const char *profile_id;
++    char *profile_id;
+     char **features;
+     errno_t ret;
+     int i;
+@@ -438,14 +442,14 @@ static errno_t list_features(struct cli_cmdline *cmdline)
+                            &profile_id, true, NULL);
+     if (ret != EOK) {
+         ERROR("Unable to parse command arguments");
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_profile(profile_id, &profile);
+     if (ret != EOK) {
+         ERROR("Unable to get profile information [%d]: %s",
+               ret, strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+     features = authselect_profile_features(profile);
+@@ -453,7 +457,8 @@ static errno_t list_features(struct cli_cmdline *cmdline)
+     if (features == NULL) {
+         ERROR("Unable to get profile features [%d]: %s",
+               ret, strerror(ret));
+-        return ENOMEM;
++        ret = ENOMEM;
++        goto done;
+     }
+ 
+     for (i = 0; features[i] != NULL; i++) {
+@@ -462,13 +467,17 @@ static errno_t list_features(struct cli_cmdline *cmdline)
+ 
+     authselect_array_free(features);
+ 
+-    return EOK;
++    ret = EOK;
++
++done:
++    free(profile_id);
++    return ret;
+ }
+ 
+ static errno_t show(struct cli_cmdline *cmdline)
+ {
+     struct authselect_profile *profile;
+-    const char *profile_id;
++    char *profile_id;
+     errno_t ret;
+ 
+     ret = cli_tool_popt_ex(cmdline, NULL, CLI_TOOL_OPT_OPTIONAL,
+@@ -476,41 +485,47 @@ static errno_t show(struct cli_cmdline *cmdline)
+                            &profile_id, false, NULL);
+     if (ret != EOK) {
+         ERROR("Unable to parse command arguments");
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_profile(profile_id, &profile);
+     if (ret != EOK) {
+         ERROR("Unable to get profile information [%d]: %s",
+               ret, strerror(ret));
+-        return ENOMEM;
++        ret = ENOMEM;
++        goto done;
+     }
+ 
+     puts(authselect_profile_description(profile));
+ 
+     authselect_profile_free(profile);
+ 
+-    return EOK;
++    ret = EOK;
++
++done:
++    free(profile_id);
++    return ret;
+ }
+ 
+ static errno_t requirements(struct cli_cmdline *cmdline)
+ {
+-    struct authselect_profile *profile;
+-    const char *profile_id;
++    struct authselect_profile *profile = NULL;
++    char *profile_id = NULL;
+     const char **features;
+-    char *requirements;
++    char *requirements = NULL;
+     errno_t ret;
+ 
+     ret = parse_profile_options(cmdline, NULL, &profile_id, &features);
+     if (ret != EOK) {
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_profile(profile_id, &profile);
+     if (ret != EOK) {
+         ERROR("Unable to get profile information [%d]: %s",
+               ret, strerror(ret));
+-        return ENOMEM;
++        ret = ENOMEM;
++        goto done;
+     }
+ 
+     requirements = authselect_profile_requirements(profile, features);
+@@ -528,6 +543,7 @@ static errno_t requirements(struct cli_cmdline *cmdline)
+ 
+ done:
+     free(requirements);
++    free(profile_id);
+     authselect_profile_free(profile);
+ 
+     return ret;
+@@ -536,7 +552,7 @@ done:
+ static errno_t test(struct cli_cmdline *cmdline)
+ {
+     struct authselect_files *files;
+-    const char *profile_id;
++    char *profile_id = NULL;
+     const char **features;
+     const char *content;
+     const char *path;
+@@ -583,13 +599,13 @@ static errno_t test(struct cli_cmdline *cmdline)
+ 
+     ret = parse_profile_options(cmdline, options, &profile_id, &features);
+     if (ret != EOK) {
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_files(profile_id, features, &files);
+     if (ret != EOK) {
+         ERROR("Unable to get generated content [%d]: %s", ret, strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+     for (i = 0; generated[i].content_fn != NULL; i++) {
+@@ -613,7 +629,9 @@ static errno_t test(struct cli_cmdline *cmdline)
+         }
+     }
+ 
+-    return EOK;
++done:
++    free(profile_id);
++    return ret;
+ }
+ 
+ static errno_t enable(struct cli_cmdline *cmdline)
+@@ -622,7 +640,7 @@ static errno_t enable(struct cli_cmdline *cmdline)
+     char *backup_name = NULL;
+     char *requirements = NULL;
+     char *profile_id = NULL;
+-    const char *feature;
++    char *feature;
+     const char *features[2];
+     int backup = 0;
+     int quiet = 0;
+@@ -693,6 +711,7 @@ static errno_t enable(struct cli_cmdline *cmdline)
+ done:
+     free(profile_id);
+     free(requirements);
++    free(feature);
+     authselect_profile_free(profile);
+ 
+     return ret;
+@@ -702,7 +721,7 @@ static errno_t disable(struct cli_cmdline *cmdline)
+ {
+     int backup = 0;
+     char *backup_name = NULL;
+-    const char *feature;
++    char *feature;
+     errno_t ret;
+ 
+     struct poptOption options[] = {
+@@ -716,32 +735,34 @@ static errno_t disable(struct cli_cmdline *cmdline)
+                            &feature, false, NULL);
+     if (ret != EOK) {
+         ERROR("Unable to parse command arguments");
+-        return ret;
++        goto done;
+     }
+ 
+     ret = perform_backup(false, backup, backup_name);
+     if (ret != EOK) {
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_feature_disable(feature);
+     if (ret != EOK) {
+         CLI_ERROR("Unable to disable feature [%d]: %s\n", ret, strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+-    return EOK;
++done:
++    free(feature);
++    return ret;
+ }
+ 
+ static errno_t create(struct cli_cmdline *cmdline)
+ {
+-    const char *name;
++    char *name;
+     const char *base_id = NULL;
+     enum authselect_profile_type type = AUTHSELECT_PROFILE_CUSTOM;
+     enum authselect_profile_type base_type = AUTHSELECT_PROFILE_ANY;
+     int symlink_flags = AUTHSELECT_SYMLINK_NONE;
+     const char **symlinks = NULL;
+-    char *path;
++    char *path = NULL;
+     errno_t ret;
+ 
+     struct poptOption options[] = {
+@@ -761,20 +782,22 @@ static errno_t create(struct cli_cmdline *cmdline)
+                            &name, false, NULL);
+     if (ret != EOK) {
+         ERROR("Unable to parse command arguments");
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_profile_create(name, type, base_id, base_type,
+                                     symlink_flags, symlinks, &path);
+     if (ret != EOK) {
+         CLI_ERROR("Unable to create new profile [%d]: %s\n", ret, strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+     CLI_PRINT("New profile was created at %s\n", path);
+-    free(path);
+ 
+-    return EOK;
++done:
++    free(path);
++    free(name);
++    return ret;
+ }
+ 
+ static errno_t backup_list(struct cli_cmdline *cmdline)
+@@ -855,7 +878,7 @@ done:
+ 
+ static errno_t backup_remove(struct cli_cmdline *cmdline)
+ {
+-    const char *name;
++    char *name;
+     errno_t ret;
+ 
+     ret = cli_tool_popt_ex(cmdline, NULL, CLI_TOOL_OPT_OPTIONAL,
+@@ -864,22 +887,24 @@ static errno_t backup_remove(struct cli_cmdline *cmdline)
+                            &name, false, NULL);
+     if (ret != EOK) {
+         ERROR("Unable to parse command arguments");
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_backup_remove(name);
+     if (ret != EOK) {
+         CLI_ERROR("Unable to remove backup [%s] [%d]: %s\n",
+                   name, ret, strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+-    return EOK;
++done:
++    free(name);
++    return ret;
+ }
+ 
+ static errno_t backup_restore(struct cli_cmdline *cmdline)
+ {
+-    const char *name;
++    char *name;
+     errno_t ret;
+ 
+     ret = cli_tool_popt_ex(cmdline, NULL, CLI_TOOL_OPT_OPTIONAL,
+@@ -888,17 +913,19 @@ static errno_t backup_restore(struct cli_cmdline *cmdline)
+                            &name, false, NULL);
+     if (ret != EOK) {
+         ERROR("Unable to parse command arguments");
+-        return ret;
++        goto done;
+     }
+ 
+     ret = authselect_backup_restore(name);
+     if (ret != EOK) {
+         CLI_ERROR("Unable to restore backup [%s] [%d]: %s\n",
+                   name, ret, strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+-    return EOK;
++done:
++    free(name);
++    return ret;
+ }
+ 
+ static errno_t uninstall(struct cli_cmdline *cmdline)
+-- 
+2.27.0
+

backport-main-Drop-an-unnecessary-NULL-check-before-free.patch

@@ -0,0 +1,36 @@
+From 46386b75fb90ce91ede80093ce73e99fde53ba3b Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Tue, 4 Jan 2022 18:33:30 -0500
+Subject: [PATCH] main: Drop an unnecessary `NULL` check before `free()`
+
+From `man free()`:
+
+```
+The free() function frees the memory space pointed to by ptr ...  If ptr is NULL, no operation is performed.
+```
+
+Obviously there are *tons* of these in the codebase; just doing
+this one as a preliminary PR; if accepted I may do some more, or
+others can.  Or we could try a coccinelle semantic patch.
+---
+ src/cli/main.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/cli/main.c b/src/cli/main.c
+index 4b8ab85..575e56f 100644
+--- a/src/cli/main.c
++++ b/src/cli/main.c
+@@ -231,9 +231,7 @@ done:
+     free(requirements);
+     authselect_array_free(maps);
+     authselect_profile_free(profile);
+-    if (features != NULL) {
+-        free(features);
+-    }
++    free(features);
+ 
+     return ret;
+ }
+-- 
+2.27.0
+

backport-profiles-update-nsswitch.conf-due-to-user-nsswitch.c.patch

@@ -0,0 +1,377 @@
+From 3e3a473c66c24b621838c1285f1f808149d3967b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 16 Nov 2021 13:10:12 +0100
+Subject: [PATCH] profiles: update nsswitch.conf due to user-nsswitch.conf
+ removal
+
+user-nsswitch.conf support is now disabled by default, therefore
+we need to support important modules (altfiles, mdns) and include
+all databases again in the profile.
+
+- add mdns support
+- add altfiles support
+- include all databases in all profiles
+- reorder databases in order of likelihood (taken from glibc)
+
+Resolves: https://github.com/authselect/authselect/issues/282
+---
+ profiles/minimal/README        | 56 ++++-----------------------------
+ profiles/minimal/nsswitch.conf | 30 +++++++++---------
+ profiles/nis/README            | 57 +++++-----------------------------
+ profiles/nis/nsswitch.conf     | 30 +++++++++---------
+ profiles/sssd/README           | 32 ++++++-------------
+ profiles/sssd/nsswitch.conf    | 23 ++++++++++----
+ profiles/winbind/README        | 21 +++++--------
+ profiles/winbind/nsswitch.conf | 18 +++++++++--
+ 8 files changed, 96 insertions(+), 171 deletions(-)
+
+diff --git a/profiles/minimal/README b/profiles/minimal/README
+index 131ff14..11548ba 100644
+--- a/profiles/minimal/README
++++ b/profiles/minimal/README
+@@ -35,58 +35,14 @@ with-pamaccess::
+ with-altfiles::
+     Use nss_altfiles for passwd and group nsswitch databases.
+ 
+-without-nullok::
+-    Do not add nullok parameter to pam_unix.
+-
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+-
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+-
+-with-custom-aliases::
+-Ignore "aliases" map set by the profile.
+-
+-with-custom-automount::
+-Ignore "automount" map set by the profile.
+-
+-with-custom-ethers::
+-Ignore "ethers" map set by the profile.
+-
+-with-custom-group::
+-Ignore "group" map set by the profile.
+-
+-with-custom-hosts::
+-Ignore "hosts" map set by the profile.
++with-mdns4::
++    Enable multicast DNS over IPv4.
+ 
+-with-custom-initgroups::
+-Ignore "initgroups" map set by the profile.
++with-mdns6::
++    Enable multicast DNS over IPv6.
+ 
+-with-custom-netgroup::
+-Ignore "netgroup" map set by the profile.
+-
+-with-custom-networks::
+-Ignore "networks" map set by the profile.
+-
+-with-custom-passwd::
+-Ignore "passwd" map set by the profile.
+-
+-with-custom-protocols::
+-Ignore "protocols" map set by the profile.
+-
+-with-custom-publickey::
+-Ignore "publickey" map set by the profile.
+-
+-with-custom-rpc::
+-Ignore "rpc" map set by the profile.
+-
+-with-custom-services::
+-Ignore "services" map set by the profile.
+-
+-with-custom-shadow::
+-Ignore "shadow" map set by the profile.
++without-nullok::
++    Do not add nullok parameter to pam_unix.
+ 
+ EXAMPLES
+ --------
+diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
+index a9e4bc7..6c3c355 100644
+--- a/profiles/minimal/nsswitch.conf
++++ b/profiles/minimal/nsswitch.conf
+@@ -1,14 +1,16 @@
+-aliases:    files                                       {exclude if "with-custom-aliases"}
+-automount:  files                                       {exclude if "with-custom-automount"}
+-ethers:     files                                       {exclude if "with-custom-ethers"}
+-group:      files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
+-hosts:      resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
+-initgroups: files                                       {exclude if "with-custom-initgroups"}
+-netgroup:   files                                       {exclude if "with-custom-netgroup"}
+-networks:   files                                       {exclude if "with-custom-networks"}
+-passwd:     files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"}
+-protocols:  files                                       {exclude if "with-custom-protocols"}
+-publickey:  files                                       {exclude if "with-custom-publickey"}
+-rpc:        files                                       {exclude if "with-custom-rpc"}
+-services:   files                                       {exclude if "with-custom-services"}
+-shadow:     files                                       {exclude if "with-custom-shadow"}
+\ No newline at end of file
++# In order of likelihood of use to accelerate lookup.
++passwd:     files {if "with-altfiles":altfiles }systemd
++shadow:     files
++group:      files {if "with-altfiles":altfiles }systemd
++hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
++services:   files
++netgroup:   files
++automount:  files
++
++aliases:    files
++ethers:     files
++gshadow:    files
++networks:   files dns
++protocols:  files
++publickey:  files
++rpc:        files
+diff --git a/profiles/nis/README b/profiles/nis/README
+index 5dbb9b4..9f629db 100644
+--- a/profiles/nis/README
++++ b/profiles/nis/README
+@@ -50,58 +50,17 @@ with-nispwquality::
+     for NIS users as well as local users during password change. Without this
+     option only local users passwords are checked.
+ 
+-without-nullok::
+-    Do not add nullok parameter to pam_unix.
+-
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+-
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+-
+-with-custom-aliases::
+-Ignore "aliases" map set by the profile.
+-
+-with-custom-automount::
+-Ignore "automount" map set by the profile.
+-
+-with-custom-ethers::
+-Ignore "ethers" map set by the profile.
+-
+-with-custom-group::
+-Ignore "group" map set by the profile.
+-
+-with-custom-hosts::
+-Ignore "hosts" map set by the profile.
++with-altfiles::
++    Use nss_altfiles for passwd and group nsswitch databases.
+ 
+-with-custom-initgroups::
+-Ignore "initgroups" map set by the profile.
++with-mdns4::
++    Enable multicast DNS over IPv4.
+ 
+-with-custom-netgroup::
+-Ignore "netgroup" map set by the profile.
++with-mdns6::
++    Enable multicast DNS over IPv6.
+ 
+-with-custom-networks::
+-Ignore "networks" map set by the profile.
+-
+-with-custom-passwd::
+-Ignore "passwd" map set by the profile.
+-
+-with-custom-protocols::
+-Ignore "protocols" map set by the profile.
+-
+-with-custom-publickey::
+-Ignore "publickey" map set by the profile.
+-
+-with-custom-rpc::
+-Ignore "rpc" map set by the profile.
+-
+-with-custom-services::
+-Ignore "services" map set by the profile.
+-
+-with-custom-shadow::
+-Ignore "shadow" map set by the profile.
++without-nullok::
++    Do not add nullok parameter to pam_unix.
+ 
+ EXAMPLES
+ --------
+diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
+index 50a3ffb..e60eeaa 100644
+--- a/profiles/nis/nsswitch.conf
++++ b/profiles/nis/nsswitch.conf
+@@ -1,14 +1,16 @@
+-aliases:    files nis                   {exclude if "with-custom-aliases"}
+-automount:  files nis                   {exclude if "with-custom-automount"}
+-ethers:     files nis                   {exclude if "with-custom-ethers"}
+-group:      files nis systemd           {exclude if "with-custom-group"}
+-hosts:      resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
+-initgroups: files nis                   {exclude if "with-custom-initgroups"}
+-netgroup:   files nis                   {exclude if "with-custom-netgroup"}
+-networks:   files nis                   {exclude if "with-custom-networks"}
+-passwd:     files nis systemd           {exclude if "with-custom-passwd"}
+-protocols:  files nis                   {exclude if "with-custom-protocols"}
+-publickey:  files nis                   {exclude if "with-custom-publickey"}
+-rpc:        files nis                   {exclude if "with-custom-rpc"}
+-services:   files nis                   {exclude if "with-custom-services"}
+-shadow:     files nis                   {exclude if "with-custom-shadow"}
++# In order of likelihood of use to accelerate lookup.
++passwd:     files {if "with-altfiles":altfiles }nis systemd
++shadow:     files nis
++group:      files {if "with-altfiles":altfiles }nis systemd
++hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] nis myhostname dns
++services:   files nis
++netgroup:   files nis
++automount:  files nis
++
++aliases:    files nis
++ethers:     files nis
++gshadow:    files nis
++networks:   files nis dns
++protocols:  files nis
++publickey:  files nis
++rpc:        files nis
+diff --git a/profiles/sssd/README b/profiles/sssd/README
+index 59871f7..fff913a 100644
+--- a/profiles/sssd/README
++++ b/profiles/sssd/README
+@@ -79,6 +79,15 @@ with-sudo::
+ with-pamaccess::
+     Check access.conf during account authorization.
+ 
++with-altfiles::
++    Use nss_altfiles for passwd and group nsswitch databases.
++
++with-mdns4::
++    Enable multicast DNS over IPv4.
++
++with-mdns6::
++    Enable multicast DNS over IPv6.
++
+ with-files-domain::
+     If set, SSSD will be contacted before "files" when resolving users and
+     groups. The order in nsswitch.conf will be set to "sss files" instead of
+@@ -97,29 +106,6 @@ with-files-access-provider::
+ without-nullok::
+     Do not add nullok parameter to pam_unix.
+ 
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
+-
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
+-
+-with-custom-passwd::
+-Ignore "passwd" database set by the profile.
+-
+-with-custom-group::
+-Ignore "group" database set by the profile.
+-
+-with-custom-netgroup::
+-Ignore "netgroup" database set by the profile.
+-
+-with-custom-automount::
+-Ignore "automount" database set by the profile.
+-
+-with-custom-services::
+-Ignore "services" database set by the profile.
+-
+ EXAMPLES
+ --------
+ 
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index 91c9fe9..526cbae 100644
+--- a/profiles/sssd/nsswitch.conf
++++ b/profiles/sssd/nsswitch.conf
+@@ -1,6 +1,17 @@
+-passwd:     {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-passwd"}
+-group:      {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-group"}
+-netgroup:   sss files           {exclude if "with-custom-netgroup"}
+-automount:  sss files           {exclude if "with-custom-automount"}
+-services:   sss files           {exclude if "with-custom-services"}
+-sudoers:    files sss           {include if "with-sudo"}
++# In order of likelihood of use to accelerate lookup.
++passwd:     {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd
++shadow:     files
++group:      {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd
++hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
++services:   files sss
++netgroup:   files sss
++sudoers:    files sss {include if "with-sudo"}
++automount:  files sss
++
++aliases:    files
++ethers:     files
++gshadow:    files
++networks:   files dns
++protocols:  files
++publickey:  files
++rpc:        files
+diff --git a/profiles/winbind/README b/profiles/winbind/README
+index 40a1a45..39a15fc 100644
+--- a/profiles/winbind/README
++++ b/profiles/winbind/README
+@@ -60,22 +60,17 @@ with-silent-lastlog::
+ with-pamaccess::
+     Check access.conf during account authorization.
+ 
+-without-nullok::
+-    Do not add nullok parameter to pam_unix.
+-
+-DISABLE SPECIFIC NSSWITCH DATABASES
+------------------------------------
++with-altfiles::
++    Use nss_altfiles for passwd and group nsswitch databases.
+ 
+-Normally, nsswitch databases set by the profile overwrites values set in
+-user-nsswitch.conf. The following options can force authselect to
+-ignore value set by the profile and use the one set in user-nsswitch.conf
+-instead.
++with-mdns4::
++    Enable multicast DNS over IPv4.
+ 
+-with-custom-passwd::
+-Ignore "passwd" database set by the profile.
++with-mdns6::
++    Enable multicast DNS over IPv6.
+ 
+-with-custom-group::
+-Ignore "group" database set by the profile.
++without-nullok::
++    Do not add nullok parameter to pam_unix.
+ 
+ EXAMPLES
+ --------
+diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
+index 8a23bd7..b3ea72d 100644
+--- a/profiles/winbind/nsswitch.conf
++++ b/profiles/winbind/nsswitch.conf
+@@ -1,2 +1,16 @@
+-passwd:     files winbind systemd    {exclude if "with-custom-passwd"}
+-group:      files winbind systemd    {exclude if "with-custom-group"}
++# In order of likelihood of use to accelerate lookup.
++passwd:     files {if "with-altfiles":altfiles }winbind systemd
++shadow:     files
++group:      files {if "with-altfiles":altfiles }winbind systemd
++hosts:      files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
++services:   files
++netgroup:   files
++automount:  files
++
++aliases:    files
++ethers:     files
++gshadow:    files
++networks:   files dns
++protocols:  files
++publickey:  files
++rpc:        files
+-- 
+2.27.0
+