From 3e3a473c66c24b621838c1285f1f808149d3967b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 16 Nov 2021 13:10:12 +0100 Subject: [PATCH] profiles: update nsswitch.conf due to user-nsswitch.conf removal user-nsswitch.conf support is now disabled by default, therefore we need to support important modules (altfiles, mdns) and include all databases again in the profile. - add mdns support - add altfiles support - include all databases in all profiles - reorder databases in order of likelihood (taken from glibc) Resolves: https://github.com/authselect/authselect/issues/282 --- profiles/minimal/README | 56 ++++----------------------------- profiles/minimal/nsswitch.conf | 30 +++++++++--------- profiles/nis/README | 57 +++++----------------------------- profiles/nis/nsswitch.conf | 30 +++++++++--------- profiles/sssd/README | 32 ++++++------------- profiles/sssd/nsswitch.conf | 23 ++++++++++---- profiles/winbind/README | 21 +++++-------- profiles/winbind/nsswitch.conf | 18 +++++++++-- 8 files changed, 96 insertions(+), 171 deletions(-) diff --git a/profiles/minimal/README b/profiles/minimal/README index 131ff14..11548ba 100644 --- a/profiles/minimal/README +++ b/profiles/minimal/README @@ -35,58 +35,14 @@ with-pamaccess:: with-altfiles:: Use nss_altfiles for passwd and group nsswitch databases. -without-nullok:: - Do not add nullok parameter to pam_unix. - -DISABLE SPECIFIC NSSWITCH DATABASES ------------------------------------ - -Normally, nsswitch databases set by the profile overwrites values set in -user-nsswitch.conf. The following options can force authselect to -ignore value set by the profile and use the one set in user-nsswitch.conf -instead. - -with-custom-aliases:: -Ignore "aliases" map set by the profile. - -with-custom-automount:: -Ignore "automount" map set by the profile. - -with-custom-ethers:: -Ignore "ethers" map set by the profile. - -with-custom-group:: -Ignore "group" map set by the profile. - -with-custom-hosts:: -Ignore "hosts" map set by the profile. +with-mdns4:: + Enable multicast DNS over IPv4. -with-custom-initgroups:: -Ignore "initgroups" map set by the profile. +with-mdns6:: + Enable multicast DNS over IPv6. -with-custom-netgroup:: -Ignore "netgroup" map set by the profile. - -with-custom-networks:: -Ignore "networks" map set by the profile. - -with-custom-passwd:: -Ignore "passwd" map set by the profile. - -with-custom-protocols:: -Ignore "protocols" map set by the profile. - -with-custom-publickey:: -Ignore "publickey" map set by the profile. - -with-custom-rpc:: -Ignore "rpc" map set by the profile. - -with-custom-services:: -Ignore "services" map set by the profile. - -with-custom-shadow:: -Ignore "shadow" map set by the profile. +without-nullok:: + Do not add nullok parameter to pam_unix. EXAMPLES -------- diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf index a9e4bc7..6c3c355 100644 --- a/profiles/minimal/nsswitch.conf +++ b/profiles/minimal/nsswitch.conf @@ -1,14 +1,16 @@ -aliases: files {exclude if "with-custom-aliases"} -automount: files {exclude if "with-custom-automount"} -ethers: files {exclude if "with-custom-ethers"} -group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} -hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"} -initgroups: files {exclude if "with-custom-initgroups"} -netgroup: files {exclude if "with-custom-netgroup"} -networks: files {exclude if "with-custom-networks"} -passwd: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"} -protocols: files {exclude if "with-custom-protocols"} -publickey: files {exclude if "with-custom-publickey"} -rpc: files {exclude if "with-custom-rpc"} -services: files {exclude if "with-custom-services"} -shadow: files {exclude if "with-custom-shadow"} \ No newline at end of file +# In order of likelihood of use to accelerate lookup. +passwd: files {if "with-altfiles":altfiles }systemd +shadow: files +group: files {if "with-altfiles":altfiles }systemd +hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns +services: files +netgroup: files +automount: files + +aliases: files +ethers: files +gshadow: files +networks: files dns +protocols: files +publickey: files +rpc: files diff --git a/profiles/nis/README b/profiles/nis/README index 5dbb9b4..9f629db 100644 --- a/profiles/nis/README +++ b/profiles/nis/README @@ -50,58 +50,17 @@ with-nispwquality:: for NIS users as well as local users during password change. Without this option only local users passwords are checked. -without-nullok:: - Do not add nullok parameter to pam_unix. - -DISABLE SPECIFIC NSSWITCH DATABASES ------------------------------------ - -Normally, nsswitch databases set by the profile overwrites values set in -user-nsswitch.conf. The following options can force authselect to -ignore value set by the profile and use the one set in user-nsswitch.conf -instead. - -with-custom-aliases:: -Ignore "aliases" map set by the profile. - -with-custom-automount:: -Ignore "automount" map set by the profile. - -with-custom-ethers:: -Ignore "ethers" map set by the profile. - -with-custom-group:: -Ignore "group" map set by the profile. - -with-custom-hosts:: -Ignore "hosts" map set by the profile. +with-altfiles:: + Use nss_altfiles for passwd and group nsswitch databases. -with-custom-initgroups:: -Ignore "initgroups" map set by the profile. +with-mdns4:: + Enable multicast DNS over IPv4. -with-custom-netgroup:: -Ignore "netgroup" map set by the profile. +with-mdns6:: + Enable multicast DNS over IPv6. -with-custom-networks:: -Ignore "networks" map set by the profile. - -with-custom-passwd:: -Ignore "passwd" map set by the profile. - -with-custom-protocols:: -Ignore "protocols" map set by the profile. - -with-custom-publickey:: -Ignore "publickey" map set by the profile. - -with-custom-rpc:: -Ignore "rpc" map set by the profile. - -with-custom-services:: -Ignore "services" map set by the profile. - -with-custom-shadow:: -Ignore "shadow" map set by the profile. +without-nullok:: + Do not add nullok parameter to pam_unix. EXAMPLES -------- diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf index 50a3ffb..e60eeaa 100644 --- a/profiles/nis/nsswitch.conf +++ b/profiles/nis/nsswitch.conf @@ -1,14 +1,16 @@ -aliases: files nis {exclude if "with-custom-aliases"} -automount: files nis {exclude if "with-custom-automount"} -ethers: files nis {exclude if "with-custom-ethers"} -group: files nis systemd {exclude if "with-custom-group"} -hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"} -initgroups: files nis {exclude if "with-custom-initgroups"} -netgroup: files nis {exclude if "with-custom-netgroup"} -networks: files nis {exclude if "with-custom-networks"} -passwd: files nis systemd {exclude if "with-custom-passwd"} -protocols: files nis {exclude if "with-custom-protocols"} -publickey: files nis {exclude if "with-custom-publickey"} -rpc: files nis {exclude if "with-custom-rpc"} -services: files nis {exclude if "with-custom-services"} -shadow: files nis {exclude if "with-custom-shadow"} +# In order of likelihood of use to accelerate lookup. +passwd: files {if "with-altfiles":altfiles }nis systemd +shadow: files nis +group: files {if "with-altfiles":altfiles }nis systemd +hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] nis myhostname dns +services: files nis +netgroup: files nis +automount: files nis + +aliases: files nis +ethers: files nis +gshadow: files nis +networks: files nis dns +protocols: files nis +publickey: files nis +rpc: files nis diff --git a/profiles/sssd/README b/profiles/sssd/README index 59871f7..fff913a 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -79,6 +79,15 @@ with-sudo:: with-pamaccess:: Check access.conf during account authorization. +with-altfiles:: + Use nss_altfiles for passwd and group nsswitch databases. + +with-mdns4:: + Enable multicast DNS over IPv4. + +with-mdns6:: + Enable multicast DNS over IPv6. + with-files-domain:: If set, SSSD will be contacted before "files" when resolving users and groups. The order in nsswitch.conf will be set to "sss files" instead of @@ -97,29 +106,6 @@ with-files-access-provider:: without-nullok:: Do not add nullok parameter to pam_unix. -DISABLE SPECIFIC NSSWITCH DATABASES ------------------------------------ - -Normally, nsswitch databases set by the profile overwrites values set in -user-nsswitch.conf. The following options can force authselect to -ignore value set by the profile and use the one set in user-nsswitch.conf -instead. - -with-custom-passwd:: -Ignore "passwd" database set by the profile. - -with-custom-group:: -Ignore "group" database set by the profile. - -with-custom-netgroup:: -Ignore "netgroup" database set by the profile. - -with-custom-automount:: -Ignore "automount" database set by the profile. - -with-custom-services:: -Ignore "services" database set by the profile. - EXAMPLES -------- diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf index 91c9fe9..526cbae 100644 --- a/profiles/sssd/nsswitch.conf +++ b/profiles/sssd/nsswitch.conf @@ -1,6 +1,17 @@ -passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} -group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} -netgroup: sss files {exclude if "with-custom-netgroup"} -automount: sss files {exclude if "with-custom-automount"} -services: sss files {exclude if "with-custom-services"} -sudoers: files sss {include if "with-sudo"} +# In order of likelihood of use to accelerate lookup. +passwd: {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd +shadow: files +group: {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd +hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns +services: files sss +netgroup: files sss +sudoers: files sss {include if "with-sudo"} +automount: files sss + +aliases: files +ethers: files +gshadow: files +networks: files dns +protocols: files +publickey: files +rpc: files diff --git a/profiles/winbind/README b/profiles/winbind/README index 40a1a45..39a15fc 100644 --- a/profiles/winbind/README +++ b/profiles/winbind/README @@ -60,22 +60,17 @@ with-silent-lastlog:: with-pamaccess:: Check access.conf during account authorization. -without-nullok:: - Do not add nullok parameter to pam_unix. - -DISABLE SPECIFIC NSSWITCH DATABASES ------------------------------------ +with-altfiles:: + Use nss_altfiles for passwd and group nsswitch databases. -Normally, nsswitch databases set by the profile overwrites values set in -user-nsswitch.conf. The following options can force authselect to -ignore value set by the profile and use the one set in user-nsswitch.conf -instead. +with-mdns4:: + Enable multicast DNS over IPv4. -with-custom-passwd:: -Ignore "passwd" database set by the profile. +with-mdns6:: + Enable multicast DNS over IPv6. -with-custom-group:: -Ignore "group" database set by the profile. +without-nullok:: + Do not add nullok parameter to pam_unix. EXAMPLES -------- diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf index 8a23bd7..b3ea72d 100644 --- a/profiles/winbind/nsswitch.conf +++ b/profiles/winbind/nsswitch.conf @@ -1,2 +1,16 @@ -passwd: files winbind systemd {exclude if "with-custom-passwd"} -group: files winbind systemd {exclude if "with-custom-group"} +# In order of likelihood of use to accelerate lookup. +passwd: files {if "with-altfiles":altfiles }winbind systemd +shadow: files +group: files {if "with-altfiles":altfiles }winbind systemd +hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns +services: files +netgroup: files +automount: files + +aliases: files +ethers: files +gshadow: files +networks: files dns +protocols: files +publickey: files +rpc: files -- 2.27.0