Re: How to get proper nsswitch.conf?
On Mon, Feb 17, 2020 at 11:24 am, Pavel Březina wrote: This is systemd module, right? There was some discussion about it in: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P/#PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P I don't really have all the information but apparently there are some collisions with LDAP/FreeIPA and is not supposed to be enabled by default. Thanks, this is good to know. Next question, I have: passwd: sss files systemd shadow: files sss group: sss files systemd The difference is that authselect doesn't write the shadow line [1], that one is coming from our glibc [2]. (glibc is already patched to enable sssd.) That inconsistency seems odd; shouldn't authselect be modifying the shadow line as well? SSSD does not support shadow therefore it is not added by authselect. IMHO it should be removed from glibc nsswitch.conf as well. OK: https://src.fedoraproject.org/rpms/glibc/pull-request/17 Then it also doesn't make sense that we put files before sss in half the lines, and sss before files in the other half. Basically only passwd and group needs to have sss consulted first because SSSD now handles local users as well and this way will glibc first consults SSSD in-memory cache before reading from disk. It does not matter with the other maps. It makes sense to me to have SSSD first because nowadays if you are joined to a remote domain you have these maps served by SSSD from LDAP then having the configuration in files, at least in enterprise scenarios. sudoers have files first because there is always /etc/sudoers with at least %wheel so it makes sense to read it first. Thanks for the info, Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
On 2/14/20 8:19 PM, Michael Catanzaro wrote: On Thu, Feb 13, 2020 at 7:13 pm, Michael Catanzaro wrote: Why don't we have mymachines here? This is systemd module, right? There was some discussion about it in: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P/#PNKKVG3K6WAU42CCPVIEV6LZY7PWUG4P I don't really have all the information but apparently there are some collisions with LDAP/FreeIPA and is not supposed to be enabled by default. Next question, I have: passwd: sss files systemd shadow: files sss group: sss files systemd The difference is that authselect doesn't write the shadow line [1], that one is coming from our glibc [2]. (glibc is already patched to enable sssd.) That inconsistency seems odd; shouldn't authselect be modifying the shadow line as well? SSSD does not support shadow therefore it is not added by authselect. IMHO it should be removed from glibc nsswitch.conf as well. Then it also doesn't make sense that we put files before sss in half the lines, and sss before files in the other half. Basically only passwd and group needs to have sss consulted first because SSSD now handles local users as well and this way will glibc first consults SSSD in-memory cache before reading from disk. It does not matter with the other maps. It makes sense to me to have SSSD first because nowadays if you are joined to a remote domain you have these maps served by SSSD from LDAP then having the configuration in files, at least in enterprise scenarios. sudoers have files first because there is always /etc/sudoers with at least %wheel so it makes sense to read it first. [1] https://github.com/pbrezina/authselect/blob/master/profiles/sssd/nsswitch.conf [2] https://src.fedoraproject.org/rpms/glibc/blob/master/f/glibc-fedora-nsswitch.patch ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
On Thu, Feb 13, 2020 at 7:13 pm, Michael Catanzaro wrote: Why don't we have mymachines here? Next question, I have: passwd: sss files systemd shadow: files sss group: sss files systemd The difference is that authselect doesn't write the shadow line [1], that one is coming from our glibc [2]. (glibc is already patched to enable sssd.) That inconsistency seems odd; shouldn't authselect be modifying the shadow line as well? Then it also doesn't make sense that we put files before sss in half the lines, and sss before files in the other half. [1] https://github.com/pbrezina/authselect/blob/master/profiles/sssd/nsswitch.conf [2] https://src.fedoraproject.org/rpms/glibc/blob/master/f/glibc-fedora-nsswitch.patch ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
On Thu, Feb 13, 2020 at 6:20 PM Michael Catanzaro wrote: > > On Thu, Feb 13, 2020 at 1:22 pm, Chris Murphy > wrote: > > hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname > > Why don't we have mymachines here? It probably should be in the second position. Also needs insertion in passwd: and group: https://www.freedesktop.org/software/systemd/man/nss-mymachines.html I'm not noticing any difference in latency using mdns_minimal and mdns4_minimal. On second glance, this is confusing: # Generated by authselect on Fri Sep 20 09:47:27 2019 # Do not modify this file manually. However... $ stat /etc/nsswitch.conf File: /etc/nsswitch.conf Size: 2402 Blocks: 8 IO Block: 4096 regular file Device: 23h/35dInode: 2589745 Links: 1 Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root) Context: system_u:object_r:etc_t:s0 Access: 2020-02-12 14:14:39.753698198 -0700 Modify: 2020-01-26 23:51:27.028724897 -0700 Change: 2020-02-12 14:14:40.658698145 -0700 Birth: 2020-01-26 23:51:27.025724840 -0700 Generated by authselect, non-locally? I'm not modifying this file. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
On Thu, Feb 13, 2020 at 1:22 pm, Chris Murphy wrote: hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname Why don't we have mymachines here? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
On Thu, Feb 13, 2020 at 11:17 AM Michael Catanzaro wrote: > > On Thu, Feb 13, 2020 at 5:25 pm, Florian Weimer > wrote: > > authselect is not the only package editing nsswitch.conf, other > > packages > > do it as well. I have lost track. > > It'd be really good to know what else is doing this, because I have a > pending change proposal that's going to require editing this file, and > I had only been planning to modify the glibc and authselect packages. dnf provides on workstation fc31 says it's owned by glibc-2.30-5.fc31.x86_64 (was installed clean but has been used and update for some months since) hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname My understanding: - avahi/mdns will only resolve IPv4 and only if the name ends with .local, and then will be reported as not found; being able to resolve IPv6 would be nice but I read that this can be slow, hence mdns4_minimal and not mdns_minimal; but maybe this information is stale? - manpage for nss-resolve says that [!UNAVAIL=return] is required for resolved, but .. - I've read elsewhere systemd-resolved contains mdns resolving that I think needs to be disabled if avahi will be used [2] or otherwise disable avahi. [1] https://www.freedesktop.org/software/systemd/man/nss-resolve.html [2] https://wiki.archlinux.org/index.php/Systemd-resolved "Note: If Avahi has been installed, consider disabling ... " Anyway, I'm sorta confused. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
On Thu, Feb 13, 2020 at 5:25 pm, Florian Weimer wrote: authselect is not the only package editing nsswitch.conf, other packages do it as well. I have lost track. It'd be really good to know what else is doing this, because I have a pending change proposal that's going to require editing this file, and I had only been planning to modify the glibc and authselect packages. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
Hi Florian, By "proper" I mean something supported and pristine so that I don't end up with debugging weird problems. Some people name it "default". I don't need anything special, just the one which should be by default in Fedora Workstation. On Thu, Feb 13, 2020 at 5:25 PM Florian Weimer wrote: > > * Igor Gnatenko: > > > I've noticed that glibc ships one nsswitch.conf, but then it is > > entirely overridden by authselect... What is the proper way of getting > > proper nsswitch.conf on the system? > > authselect is not the only package editing nsswitch.conf, other packages > do it as well. I have lost track. > > Unfortunately, Fedora does not have a ban against scriptlets editing > configuration files. > > Anyway, what do you mean by “proper”? It really depends on what you > need, and also on personal preferences. > > Thanks, > Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to get proper nsswitch.conf?
* Igor Gnatenko: > I've noticed that glibc ships one nsswitch.conf, but then it is > entirely overridden by authselect... What is the proper way of getting > proper nsswitch.conf on the system? authselect is not the only package editing nsswitch.conf, other packages do it as well. I have lost track. Unfortunately, Fedora does not have a ban against scriptlets editing configuration files. Anyway, what do you mean by “proper”? It really depends on what you need, and also on personal preferences. Thanks, Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
How to get proper nsswitch.conf?
Hello, I've noticed that glibc ships one nsswitch.conf, but then it is entirely overridden by authselect... What is the proper way of getting proper nsswitch.conf on the system? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org