Currently /etc/nsswitch.conf has configurations like
passwd: sss files
shadow: files sss
group: sss files
The problem is that to make sure that certain users could not be
created in IPA (like nobody root etc), they were already created but
in a restricted group. In order to allow sss to work for postfix, nfs,
nobody and such, the sssd.conf needs to ignore them in the nss
section. This adds a file which will do that.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
With set_facts, if an element of a list is undefined, the containing
fact variable becomes a string. Something Sirius Cybernetics Corporation
something something.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Don't attempt to loop over undefined variables. This can happen if the
relevant `ipa_*` variables aren't defined for any host in the play.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The reason for this is to avoid having to do the same or similar things
over and over again for each host in the play, especially since these
operations are delegated to the IPA server, i.e. had to run sequentially
host after host in order to avoid race conditions.
To achieve this, the IPA client related group variables are prepared in
suitable structures in `prepare-ipa-info.yml` and consumed by
`common.yml`, `hbac.yml` and `sudo.yml`, which do most operations in one
go per e.g. host group on the affected IPA server(s).
Additionally:
- Remove compat for legacy `fas_client_groups`, only check for its
presence and warn.
- Remove the prepared but masked out task to manage password-less sudo
access.
- Make yamllint a little happier on the changed files.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The `common.yml` sub-playbook runs tasks necessary for the `hbac.yml`
and `sudo.yml` sub-playbooks, but not specific to either.
Signed-off-by: Nils Philippsen <nils@redhat.com>
