Allow sssd to ignore special users

Currently /etc/nsswitch.conf has configurations like passwd: sss files shadow: files sss group: sss files The problem is that to make sure that certain users could not be created in IPA (like nobody root etc), they were already created but in a restricted group. In order to allow sss to work for postfix, nfs, nobody and such, the sssd.conf needs to ignore them in the nss section. This adds a file which will do that. Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
2026-06-27 23:57:02 +08:00 · 2021-03-27 12:20:35 -04:00
parent 2d5ec6dce3
commit f7519b408b
2 changed files with 13 additions and 0 deletions
--- a/roles/ipa/client/tasks/common.yml
+++ b/roles/ipa/client/tasks/common.yml
@@ -39,3 +39,10 @@
    host: "{{ item[2] | list }}"
  loop: "{{ ipa_server_host_groups_hosts }}"
  when: ipa_server_host_groups_hosts is defined
+
+- name: Ensure that nss knows to skip certain users
+  copy: src=fedora-nss-ignore.conf dest=/etc/sssd/conf.d/ mode=600 owner=root group=root
+  tags:
+  - ipa/client
+  - config
+  notify: clean sss caches