Hi Pavel,
On 10/14/21 12:57 PM, Pavel Březina wrote:
On 10/13/21 3:17 PM, Michael Catanzaro wrote:
> On Wed, Oct 13 2021 at 10:22:14 AM +0200, Hans de Goede <hdegoede(a)redhat.com>
wrote:
>> Making what IMHO is a poor default of always using sssd everywhere
>> hardcoded even deeper into Fedora seems like a bad idea to me.
>
> I think we can fix this at the same time. Make authselect default to its minimal
profile rather than its sssd profile, and make realmd responsible for running authselect
to enable the sssd profile when it is required. I think realmd is already capable of
installing the dependencies it needs when enabled, right? This way, most Fedora systems
would no longer run sssd, but enabling enterprise login would not require manual
configuration for those who need it.
Minimal profile is really minimal and does not provide almost any flexibility so imho it
should not be used as a default. We could however create a new profile e.g.
"local".
SSSD is default because it was serving local users as well. This in no longer true since
F35 [1], so there is certainly a possibility to switch the default, if the community
desires it and it is certainly beneficial to do it together with this change.
I don't see a strong reason to change the default profile. Local users go through
nss_files and pam_unix, if SSSD is not running it does not do anything.
Sorry, I somehow completely missed the F35 change to make files the first entry
in nssswitch.conf by default now.
I see on the changes (1) page that SSSD now also no longer is started by default,
that is great.
Since SSSD already no longer runs by default, then I see no need
for a special "local" profile.
Thank you for your work on this!
Regards,
Hans
1)
https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache