Blob Blame History Raw
From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 18 Feb 2021 13:38:53 +0100
Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups

The passwd and group databases will now default to files first.
The order "sss files" can be enabled with "with-files-provider"
feature.
---
 profiles/sssd/README        | 5 +++++
 profiles/sssd/REQUIREMENTS  | 4 ++++
 profiles/sssd/nsswitch.conf | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/profiles/sssd/README b/profiles/sssd/README
index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -76,6 +76,11 @@ with-sudo::
 with-pamaccess::
     Check access.conf during account authorization.
 
+with-files-domain::
+    If set, SSSD will be contacted before "files" when resolving users and
+    groups. The order in nsswitch.conf will be set to "sss files" instead of
+    "files sss" for passwd and group maps.
+
 with-files-access-provider::
     If set, account management for local users is handled also by pam_sss. This
     is needed if there is an explicitly configured domain with id_provider=files
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
 - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module                       {include if "with-mkhomedir"}
   is present and oddjobd service is enabled and active                                    {include if "with-mkhomedir"}
   - systemctl enable --now oddjobd.service                                                {include if "with-mkhomedir"}
+                                                                                          {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD          {include if "with-files-domain"}
+  - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf                 {include if "with-files-domain"}
+  - or create a custom domain with id_provider=files                                      {include if "with-files-domain"}
\ No newline at end of file
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,5 +1,5 @@
-passwd:     sss files systemd   {exclude if "with-custom-passwd"}
-group:      sss files systemd   {exclude if "with-custom-group"}
+passwd:     {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-passwd"}
+group:      {if "with-files-domain":sss files|files sss} systemd   {exclude if "with-custom-group"}
 netgroup:   sss files           {exclude if "with-custom-netgroup"}
 automount:  sss files           {exclude if "with-custom-automount"}
 services:   sss files           {exclude if "with-custom-services"}
-- 
2.29.2