378 lines
13 KiB
Diff
378 lines
13 KiB
Diff
From 3e3a473c66c24b621838c1285f1f808149d3967b Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Tue, 16 Nov 2021 13:10:12 +0100
|
|
Subject: [PATCH] profiles: update nsswitch.conf due to user-nsswitch.conf
|
|
removal
|
|
|
|
user-nsswitch.conf support is now disabled by default, therefore
|
|
we need to support important modules (altfiles, mdns) and include
|
|
all databases again in the profile.
|
|
|
|
- add mdns support
|
|
- add altfiles support
|
|
- include all databases in all profiles
|
|
- reorder databases in order of likelihood (taken from glibc)
|
|
|
|
Resolves: https://github.com/authselect/authselect/issues/282
|
|
---
|
|
profiles/minimal/README | 56 ++++-----------------------------
|
|
profiles/minimal/nsswitch.conf | 30 +++++++++---------
|
|
profiles/nis/README | 57 +++++-----------------------------
|
|
profiles/nis/nsswitch.conf | 30 +++++++++---------
|
|
profiles/sssd/README | 32 ++++++-------------
|
|
profiles/sssd/nsswitch.conf | 23 ++++++++++----
|
|
profiles/winbind/README | 21 +++++--------
|
|
profiles/winbind/nsswitch.conf | 18 +++++++++--
|
|
8 files changed, 96 insertions(+), 171 deletions(-)
|
|
|
|
diff --git a/profiles/minimal/README b/profiles/minimal/README
|
|
index 131ff14..11548ba 100644
|
|
--- a/profiles/minimal/README
|
|
+++ b/profiles/minimal/README
|
|
@@ -35,58 +35,14 @@ with-pamaccess::
|
|
with-altfiles::
|
|
Use nss_altfiles for passwd and group nsswitch databases.
|
|
|
|
-without-nullok::
|
|
- Do not add nullok parameter to pam_unix.
|
|
-
|
|
-DISABLE SPECIFIC NSSWITCH DATABASES
|
|
------------------------------------
|
|
-
|
|
-Normally, nsswitch databases set by the profile overwrites values set in
|
|
-user-nsswitch.conf. The following options can force authselect to
|
|
-ignore value set by the profile and use the one set in user-nsswitch.conf
|
|
-instead.
|
|
-
|
|
-with-custom-aliases::
|
|
-Ignore "aliases" map set by the profile.
|
|
-
|
|
-with-custom-automount::
|
|
-Ignore "automount" map set by the profile.
|
|
-
|
|
-with-custom-ethers::
|
|
-Ignore "ethers" map set by the profile.
|
|
-
|
|
-with-custom-group::
|
|
-Ignore "group" map set by the profile.
|
|
-
|
|
-with-custom-hosts::
|
|
-Ignore "hosts" map set by the profile.
|
|
+with-mdns4::
|
|
+ Enable multicast DNS over IPv4.
|
|
|
|
-with-custom-initgroups::
|
|
-Ignore "initgroups" map set by the profile.
|
|
+with-mdns6::
|
|
+ Enable multicast DNS over IPv6.
|
|
|
|
-with-custom-netgroup::
|
|
-Ignore "netgroup" map set by the profile.
|
|
-
|
|
-with-custom-networks::
|
|
-Ignore "networks" map set by the profile.
|
|
-
|
|
-with-custom-passwd::
|
|
-Ignore "passwd" map set by the profile.
|
|
-
|
|
-with-custom-protocols::
|
|
-Ignore "protocols" map set by the profile.
|
|
-
|
|
-with-custom-publickey::
|
|
-Ignore "publickey" map set by the profile.
|
|
-
|
|
-with-custom-rpc::
|
|
-Ignore "rpc" map set by the profile.
|
|
-
|
|
-with-custom-services::
|
|
-Ignore "services" map set by the profile.
|
|
-
|
|
-with-custom-shadow::
|
|
-Ignore "shadow" map set by the profile.
|
|
+without-nullok::
|
|
+ Do not add nullok parameter to pam_unix.
|
|
|
|
EXAMPLES
|
|
--------
|
|
diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
|
|
index a9e4bc7..6c3c355 100644
|
|
--- a/profiles/minimal/nsswitch.conf
|
|
+++ b/profiles/minimal/nsswitch.conf
|
|
@@ -1,14 +1,16 @@
|
|
-aliases: files {exclude if "with-custom-aliases"}
|
|
-automount: files {exclude if "with-custom-automount"}
|
|
-ethers: files {exclude if "with-custom-ethers"}
|
|
-group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
|
|
-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
|
|
-initgroups: files {exclude if "with-custom-initgroups"}
|
|
-netgroup: files {exclude if "with-custom-netgroup"}
|
|
-networks: files {exclude if "with-custom-networks"}
|
|
-passwd: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"}
|
|
-protocols: files {exclude if "with-custom-protocols"}
|
|
-publickey: files {exclude if "with-custom-publickey"}
|
|
-rpc: files {exclude if "with-custom-rpc"}
|
|
-services: files {exclude if "with-custom-services"}
|
|
-shadow: files {exclude if "with-custom-shadow"}
|
|
\ No newline at end of file
|
|
+# In order of likelihood of use to accelerate lookup.
|
|
+passwd: files {if "with-altfiles":altfiles }systemd
|
|
+shadow: files
|
|
+group: files {if "with-altfiles":altfiles }systemd
|
|
+hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
|
|
+services: files
|
|
+netgroup: files
|
|
+automount: files
|
|
+
|
|
+aliases: files
|
|
+ethers: files
|
|
+gshadow: files
|
|
+networks: files dns
|
|
+protocols: files
|
|
+publickey: files
|
|
+rpc: files
|
|
diff --git a/profiles/nis/README b/profiles/nis/README
|
|
index 5dbb9b4..9f629db 100644
|
|
--- a/profiles/nis/README
|
|
+++ b/profiles/nis/README
|
|
@@ -50,58 +50,17 @@ with-nispwquality::
|
|
for NIS users as well as local users during password change. Without this
|
|
option only local users passwords are checked.
|
|
|
|
-without-nullok::
|
|
- Do not add nullok parameter to pam_unix.
|
|
-
|
|
-DISABLE SPECIFIC NSSWITCH DATABASES
|
|
------------------------------------
|
|
-
|
|
-Normally, nsswitch databases set by the profile overwrites values set in
|
|
-user-nsswitch.conf. The following options can force authselect to
|
|
-ignore value set by the profile and use the one set in user-nsswitch.conf
|
|
-instead.
|
|
-
|
|
-with-custom-aliases::
|
|
-Ignore "aliases" map set by the profile.
|
|
-
|
|
-with-custom-automount::
|
|
-Ignore "automount" map set by the profile.
|
|
-
|
|
-with-custom-ethers::
|
|
-Ignore "ethers" map set by the profile.
|
|
-
|
|
-with-custom-group::
|
|
-Ignore "group" map set by the profile.
|
|
-
|
|
-with-custom-hosts::
|
|
-Ignore "hosts" map set by the profile.
|
|
+with-altfiles::
|
|
+ Use nss_altfiles for passwd and group nsswitch databases.
|
|
|
|
-with-custom-initgroups::
|
|
-Ignore "initgroups" map set by the profile.
|
|
+with-mdns4::
|
|
+ Enable multicast DNS over IPv4.
|
|
|
|
-with-custom-netgroup::
|
|
-Ignore "netgroup" map set by the profile.
|
|
+with-mdns6::
|
|
+ Enable multicast DNS over IPv6.
|
|
|
|
-with-custom-networks::
|
|
-Ignore "networks" map set by the profile.
|
|
-
|
|
-with-custom-passwd::
|
|
-Ignore "passwd" map set by the profile.
|
|
-
|
|
-with-custom-protocols::
|
|
-Ignore "protocols" map set by the profile.
|
|
-
|
|
-with-custom-publickey::
|
|
-Ignore "publickey" map set by the profile.
|
|
-
|
|
-with-custom-rpc::
|
|
-Ignore "rpc" map set by the profile.
|
|
-
|
|
-with-custom-services::
|
|
-Ignore "services" map set by the profile.
|
|
-
|
|
-with-custom-shadow::
|
|
-Ignore "shadow" map set by the profile.
|
|
+without-nullok::
|
|
+ Do not add nullok parameter to pam_unix.
|
|
|
|
EXAMPLES
|
|
--------
|
|
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
|
|
index 50a3ffb..e60eeaa 100644
|
|
--- a/profiles/nis/nsswitch.conf
|
|
+++ b/profiles/nis/nsswitch.conf
|
|
@@ -1,14 +1,16 @@
|
|
-aliases: files nis {exclude if "with-custom-aliases"}
|
|
-automount: files nis {exclude if "with-custom-automount"}
|
|
-ethers: files nis {exclude if "with-custom-ethers"}
|
|
-group: files nis systemd {exclude if "with-custom-group"}
|
|
-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
|
|
-initgroups: files nis {exclude if "with-custom-initgroups"}
|
|
-netgroup: files nis {exclude if "with-custom-netgroup"}
|
|
-networks: files nis {exclude if "with-custom-networks"}
|
|
-passwd: files nis systemd {exclude if "with-custom-passwd"}
|
|
-protocols: files nis {exclude if "with-custom-protocols"}
|
|
-publickey: files nis {exclude if "with-custom-publickey"}
|
|
-rpc: files nis {exclude if "with-custom-rpc"}
|
|
-services: files nis {exclude if "with-custom-services"}
|
|
-shadow: files nis {exclude if "with-custom-shadow"}
|
|
+# In order of likelihood of use to accelerate lookup.
|
|
+passwd: files {if "with-altfiles":altfiles }nis systemd
|
|
+shadow: files nis
|
|
+group: files {if "with-altfiles":altfiles }nis systemd
|
|
+hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] nis myhostname dns
|
|
+services: files nis
|
|
+netgroup: files nis
|
|
+automount: files nis
|
|
+
|
|
+aliases: files nis
|
|
+ethers: files nis
|
|
+gshadow: files nis
|
|
+networks: files nis dns
|
|
+protocols: files nis
|
|
+publickey: files nis
|
|
+rpc: files nis
|
|
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
|
index 59871f7..fff913a 100644
|
|
--- a/profiles/sssd/README
|
|
+++ b/profiles/sssd/README
|
|
@@ -79,6 +79,15 @@ with-sudo::
|
|
with-pamaccess::
|
|
Check access.conf during account authorization.
|
|
|
|
+with-altfiles::
|
|
+ Use nss_altfiles for passwd and group nsswitch databases.
|
|
+
|
|
+with-mdns4::
|
|
+ Enable multicast DNS over IPv4.
|
|
+
|
|
+with-mdns6::
|
|
+ Enable multicast DNS over IPv6.
|
|
+
|
|
with-files-domain::
|
|
If set, SSSD will be contacted before "files" when resolving users and
|
|
groups. The order in nsswitch.conf will be set to "sss files" instead of
|
|
@@ -97,29 +106,6 @@ with-files-access-provider::
|
|
without-nullok::
|
|
Do not add nullok parameter to pam_unix.
|
|
|
|
-DISABLE SPECIFIC NSSWITCH DATABASES
|
|
------------------------------------
|
|
-
|
|
-Normally, nsswitch databases set by the profile overwrites values set in
|
|
-user-nsswitch.conf. The following options can force authselect to
|
|
-ignore value set by the profile and use the one set in user-nsswitch.conf
|
|
-instead.
|
|
-
|
|
-with-custom-passwd::
|
|
-Ignore "passwd" database set by the profile.
|
|
-
|
|
-with-custom-group::
|
|
-Ignore "group" database set by the profile.
|
|
-
|
|
-with-custom-netgroup::
|
|
-Ignore "netgroup" database set by the profile.
|
|
-
|
|
-with-custom-automount::
|
|
-Ignore "automount" database set by the profile.
|
|
-
|
|
-with-custom-services::
|
|
-Ignore "services" database set by the profile.
|
|
-
|
|
EXAMPLES
|
|
--------
|
|
|
|
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
|
|
index 91c9fe9..526cbae 100644
|
|
--- a/profiles/sssd/nsswitch.conf
|
|
+++ b/profiles/sssd/nsswitch.conf
|
|
@@ -1,6 +1,17 @@
|
|
-passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
|
|
-group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
|
|
-netgroup: sss files {exclude if "with-custom-netgroup"}
|
|
-automount: sss files {exclude if "with-custom-automount"}
|
|
-services: sss files {exclude if "with-custom-services"}
|
|
-sudoers: files sss {include if "with-sudo"}
|
|
+# In order of likelihood of use to accelerate lookup.
|
|
+passwd: {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd
|
|
+shadow: files
|
|
+group: {if "with-files-domain":sss }files {if "with-altfiles":altfiles }{if not "with-files-domain":sss }systemd
|
|
+hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
|
|
+services: files sss
|
|
+netgroup: files sss
|
|
+sudoers: files sss {include if "with-sudo"}
|
|
+automount: files sss
|
|
+
|
|
+aliases: files
|
|
+ethers: files
|
|
+gshadow: files
|
|
+networks: files dns
|
|
+protocols: files
|
|
+publickey: files
|
|
+rpc: files
|
|
diff --git a/profiles/winbind/README b/profiles/winbind/README
|
|
index 40a1a45..39a15fc 100644
|
|
--- a/profiles/winbind/README
|
|
+++ b/profiles/winbind/README
|
|
@@ -60,22 +60,17 @@ with-silent-lastlog::
|
|
with-pamaccess::
|
|
Check access.conf during account authorization.
|
|
|
|
-without-nullok::
|
|
- Do not add nullok parameter to pam_unix.
|
|
-
|
|
-DISABLE SPECIFIC NSSWITCH DATABASES
|
|
------------------------------------
|
|
+with-altfiles::
|
|
+ Use nss_altfiles for passwd and group nsswitch databases.
|
|
|
|
-Normally, nsswitch databases set by the profile overwrites values set in
|
|
-user-nsswitch.conf. The following options can force authselect to
|
|
-ignore value set by the profile and use the one set in user-nsswitch.conf
|
|
-instead.
|
|
+with-mdns4::
|
|
+ Enable multicast DNS over IPv4.
|
|
|
|
-with-custom-passwd::
|
|
-Ignore "passwd" database set by the profile.
|
|
+with-mdns6::
|
|
+ Enable multicast DNS over IPv6.
|
|
|
|
-with-custom-group::
|
|
-Ignore "group" database set by the profile.
|
|
+without-nullok::
|
|
+ Do not add nullok parameter to pam_unix.
|
|
|
|
EXAMPLES
|
|
--------
|
|
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
|
|
index 8a23bd7..b3ea72d 100644
|
|
--- a/profiles/winbind/nsswitch.conf
|
|
+++ b/profiles/winbind/nsswitch.conf
|
|
@@ -1,2 +1,16 @@
|
|
-passwd: files winbind systemd {exclude if "with-custom-passwd"}
|
|
-group: files winbind systemd {exclude if "with-custom-group"}
|
|
+# In order of likelihood of use to accelerate lookup.
|
|
+passwd: files {if "with-altfiles":altfiles }winbind systemd
|
|
+shadow: files
|
|
+group: files {if "with-altfiles":altfiles }winbind systemd
|
|
+hosts: files {if "with-mdns4" and "with-mdns6":mdns_minimal }{if "with-mdns4" and not "with-mdns6":mdns4_minimal }{if not "with-mdns4" and "with-mdns6":mdns6_minimal }resolve [!UNAVAIL=return] myhostname dns
|
|
+services: files
|
|
+netgroup: files
|
|
+automount: files
|
|
+
|
|
+aliases: files
|
|
+ethers: files
|
|
+gshadow: files
|
|
+networks: files dns
|
|
+protocols: files
|
|
+publickey: files
|
|
+rpc: files
|
|
--
|
|
2.27.0
|
|
|