On 2/14/20 8:19 PM, Michael Catanzaro wrote:
On Thu, Feb 13, 2020 at 7:13 pm, Michael Catanzaro
> Why don't we have mymachines here?
This is systemd module, right? There was some discussion about it in:
I don't really have all the information but apparently there are some
collisions with LDAP/FreeIPA and is not supposed to be enabled by default.
Next question, I have:
passwd: sss files systemd
shadow: files sss
group: sss files systemd
The difference is that authselect doesn't write the shadow line ,
that one is coming from our glibc . (glibc is already patched to
enable sssd.) That inconsistency seems odd; shouldn't authselect be
modifying the shadow line as well?
SSSD does not support shadow therefore it is not added by authselect.
IMHO it should be removed from glibc nsswitch.conf as well.
Then it also doesn't make sense that we put files before sss in
lines, and sss before files in the other half.
Basically only passwd and group needs to have sss consulted first
because SSSD now handles local users as well and this way will glibc
first consults SSSD in-memory cache before reading from disk.
It does not matter with the other maps. It makes sense to me to have
SSSD first because nowadays if you are joined to a remote domain you
have these maps served by SSSD from LDAP then having the configuration
in files, at least in enterprise scenarios.
sudoers have files first because there is always /etc/sudoers with at
least %wheel so it makes sense to read it first.