ipa/client: split out prod and stg ipa user/group ignore file
We need to also add mock to sssd ignore groups/users, but for now since we are frozen, only do this in staging. After freeze, we should merge this back into one file. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
5c397154fc
commit
cc736849e2
2 changed files with 17 additions and 0 deletions
6
roles/ipa/client/files/fedora-nss-ignore.conf.staging
Normal file
6
roles/ipa/client/files/fedora-nss-ignore.conf.staging
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
## This file contains users who are in ipa to stop people from
|
||||
## creating restricted accounts but we want to make sure the id in
|
||||
## /etc/passwd and /etc/group are used.
|
||||
[nss]
|
||||
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd,named,mock
|
||||
filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd,named,mock
|
||||
|
|
@ -79,3 +79,14 @@
|
|||
notify:
|
||||
- restart sssd
|
||||
- clean sss caches
|
||||
when: env == "production"
|
||||
|
||||
- name: Ensure that nss knows to skip certain users
|
||||
copy: src=fedora-nss-ignore.conf.staging dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=root
|
||||
tags:
|
||||
- ipa/client
|
||||
- config
|
||||
notify:
|
||||
- restart sssd
|
||||
- clean sss caches
|
||||
when: env == "staging"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue