From f7519b408bf074853dfd91ed2a374898005b485c Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Sat, 27 Mar 2021 12:20:35 -0400 Subject: [PATCH] Allow sssd to ignore special users Currently /etc/nsswitch.conf has configurations like passwd: sss files shadow: files sss group: sss files The problem is that to make sure that certain users could not be created in IPA (like nobody root etc), they were already created but in a restricted group. In order to allow sss to work for postfix, nfs, nobody and such, the sssd.conf needs to ignore them in the nss section. This adds a file which will do that. Signed-off-by: Stephen Smoogen --- roles/ipa/client/files/fedora-nss-ignore.conf | 6 ++++++ roles/ipa/client/tasks/common.yml | 7 +++++++ 2 files changed, 13 insertions(+) create mode 100644 roles/ipa/client/files/fedora-nss-ignore.conf diff --git a/roles/ipa/client/files/fedora-nss-ignore.conf b/roles/ipa/client/files/fedora-nss-ignore.conf new file mode 100644 index 0000000000..0e65ad0398 --- /dev/null +++ b/roles/ipa/client/files/fedora-nss-ignore.conf @@ -0,0 +1,6 @@ +## This file contains users who are in ipa to stop people from +## creating restricted accounts but we want to make sure the id in +## /etc/passwd and /etc/group are used. +[nss] +filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd +filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd diff --git a/roles/ipa/client/tasks/common.yml b/roles/ipa/client/tasks/common.yml index 76326af053..fe0b08b9e8 100644 --- a/roles/ipa/client/tasks/common.yml +++ b/roles/ipa/client/tasks/common.yml @@ -39,3 +39,10 @@ host: "{{ item[2] | list }}" loop: "{{ ipa_server_host_groups_hosts }}" when: ipa_server_host_groups_hosts is defined + +- name: Ensure that nss knows to skip certain users + copy: src=fedora-nss-ignore.conf dest=/etc/sssd/conf.d/ mode=600 owner=root group=root + tags: + - ipa/client + - config + notify: clean sss caches