On Mon, Feb 17, 2020 at 11:24 am, Pavel Březina <pbrezina(a)redhat.com>
wrote:
This is systemd module, right? There was some discussion about it
in:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o...
I don't really have all the information but apparently there are some
collisions with LDAP/FreeIPA and is not supposed to be enabled by
default.
Thanks, this is good to know.
> Next question, I have:
>
> passwd: sss files systemd
> shadow: files sss
> group: sss files systemd
>
> The difference is that authselect doesn't write the shadow line [1],
> that one is coming from our glibc [2]. (glibc is already patched to
> enable sssd.) That inconsistency seems odd; shouldn't authselect be
> modifying the shadow line as well?
SSSD does not support shadow therefore it is not added by authselect.
IMHO it should be removed from glibc nsswitch.conf as well.
OK:
https://src.fedoraproject.org/rpms/glibc/pull-request/17
> Then it also doesn't make sense that we put files before sss
in half
> the lines, and sss before files in the other half.
Basically only passwd and group needs to have sss consulted first
because SSSD now handles local users as well and this way will glibc
first consults SSSD in-memory cache before reading from disk.
It does not matter with the other maps. It makes sense to me to have
SSSD first because nowadays if you are joined to a remote domain you
have these maps served by SSSD from LDAP then having the
configuration in files, at least in enterprise scenarios.
sudoers have files first because there is always /etc/sudoers with at
least %wheel so it makes sense to read it first.
Thanks for the info,
Michael