Allow sssd to ignore special users
Currently /etc/nsswitch.conf has configurations like passwd: sss files shadow: files sss group: sss files The problem is that to make sure that certain users could not be created in IPA (like nobody root etc), they were already created but in a restricted group. In order to allow sss to work for postfix, nfs, nobody and such, the sssd.conf needs to ignore them in the nss section. This adds a file which will do that. Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
This commit is contained in:
Stephen Smoogen
parent
2d5ec6dce3
commit
f7519b408b
2 changed files with 13 additions and 0 deletions
6
roles/ipa/client/files/fedora-nss-ignore.conf
Normal file
6
roles/ipa/client/files/fedora-nss-ignore.conf
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
## This file contains users who are in ipa to stop people from
|
||||
## creating restricted accounts but we want to make sure the id in
|
||||
## /etc/passwd and /etc/group are used.
|
||||
[nss]
|
||||
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,avahi-autoipd,dbus,polkitd,rpc,tss,ntp,rpcuser,nfsnobody,postfix,sshd,nagios,nrpe,openvpn,,chrony,sssd
|
||||
filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,avahi-autoipd,ssh_keys,systemd-journal,dbus,rpc,tss,ntp,dip,rpcuser,nfsnobody,postdrop,postfix,sshd,screen,nagios,nrpe,openvpn,input,systemd-bus-proxy,systemd-network,cgred,chrony,printadmin,sssd
|
||||
|
|
@ -39,3 +39,10 @@
|
|||
host: "{{ item[2] | list }}"
|
||||
loop: "{{ ipa_server_host_groups_hosts }}"
|
||||
when: ipa_server_host_groups_hosts is defined
|
||||
|
||||
- name: Ensure that nss knows to skip certain users
|
||||
copy: src=fedora-nss-ignore.conf dest=/etc/sssd/conf.d/ mode=600 owner=root group=root
|
||||
tags:
|
||||
- ipa/client
|
||||
- config
|
||||
notify: clean sss caches
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue