From cc736849e2606552b07ed1b0d62a2d6c59ae6a3e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 8 Apr 2021 17:15:51 -0700 Subject: [PATCH] ipa/client: split out prod and stg ipa user/group ignore file We need to also add mock to sssd ignore groups/users, but for now since we are frozen, only do this in staging. After freeze, we should merge this back into one file. Signed-off-by: Kevin Fenzi --- roles/ipa/client/files/fedora-nss-ignore.conf.staging | 6 ++++++ roles/ipa/client/tasks/main.yml | 11 +++++++++++ 2 files changed, 17 insertions(+) create mode 100644 roles/ipa/client/files/fedora-nss-ignore.conf.staging diff --git a/roles/ipa/client/files/fedora-nss-ignore.conf.staging b/roles/ipa/client/files/fedora-nss-ignore.conf.staging new file mode 100644 index 0000000000..d0d0023615 --- /dev/null +++ b/roles/ipa/client/files/fedora-nss-ignore.conf.staging @@ -0,0 +1,6 @@ +## This file contains users who are in ipa to stop people from +## creating restricted accounts but we want to make sure the id in +## /etc/passwd and /etc/group are used. +[nss] +filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd,named,mock +filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd,named,mock diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml index 1aa1e7691a..b83257387d 100644 --- a/roles/ipa/client/tasks/main.yml +++ b/roles/ipa/client/tasks/main.yml @@ -79,3 +79,14 @@ notify: - restart sssd - clean sss caches + when: env == "production" + +- name: Ensure that nss knows to skip certain users + copy: src=fedora-nss-ignore.conf.staging dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=root + tags: + - ipa/client + - config + notify: + - restart sssd + - clean sss caches + when: env == "staging"