Currently /etc/nsswitch.conf has configurations like
passwd: sss files
shadow: files sss
group: sss files
The problem is that to make sure that certain users could not be
created in IPA (like nobody root etc), they were already created but
in a restricted group. In order to allow sss to work for postfix, nfs,
nobody and such, the sssd.conf needs to ignore them in the nss
section. This adds a file which will do that.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
* Update rsync configuration for production to sync the flatpak-indexer
output directories into the right place, in the same way as was done
for staging. The regindexer rsync module is renamed to flatpak-index
for clarity.
* Update the registry.fedoraproject.org to use the flatpak-indexer
rules for production.
* Remove the regindexer role
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
If either `ipa_client_shell_groups` and `ipa_client_sudo_groups` are
unset or empty, sysadmin-main will still be able to login and sudo.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Nobody is using devel stack except for Copr Team, and we run heavily
parallelized unit tests so we enjoy more concurrent VMs. In case there
are no task processed, the VM count anyways goes down to the setup in
pool.yaml. So this change actually doesn't mean more VMs is going to be
wasted in normal situations.
Note that this will not yet work, it needs the RHIT firewall between
vlans opened on these ports first, but after that this is needed to
allow them to use those ports.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The previous implementation didn't work because of a chicken-and-egg
problem: To add the batcave shell groups to those specifically for
bastion, it needs to look them up, but they aren't set yet (probably
because `batcave` comes after `bastion`).
Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a
list of Ansible group names whose `ipa_client_shell_groups` will be
combined with that of the host itself. This is more robust because it's
done late, after variables are set from the inventory.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Evaluating ipa_client_shell_group from another group won't work this
way. Hardcode the list until we have a better solution.
Signed-off-by: Nils Philippsen <nils@redhat.com>
