From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 18 Feb 2021 13:38:53 +0100
Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups
The passwd and group databases will now default to files first.
The order "sss files" can be enabled with "with-files-provider"
feature.
---
profiles/sssd/README | 5 +++++
profiles/sssd/REQUIREMENTS | 4 ++++
profiles/sssd/nsswitch.conf | 4 ++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -76,6 +76,11 @@ with-sudo::
with-pamaccess::
Check access.conf during account authorization.
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
with-files-access-provider::
If set, account management for local users is handled also by pam_sss. This
is needed if there is an explicitly configured domain with id_provider=files
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
\ No newline at end of file
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,5 +1,5 @@
-passwd: sss files systemd {exclude if "with-custom-passwd"}
-group: sss files systemd {exclude if "with-custom-group"}
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
netgroup: sss files {exclude if "with-custom-netgroup"}
automount: sss files {exclude if "with-custom-automount"}
services: sss files {exclude if "with-custom-services"}
--
2.29.2