Wiki -> https://fedoraproject.org/wiki/Changes/SSSDRemoveFilesProvider
This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Remove SSSD “files provider” feature that allows handling of local users. == Owner == * Name: [[User:atikhonov| Alexey Tikhonov]], [[User:pbrezina| Pavel Březina]] * Email: atikh...@redhat.com, pbrez...@redhat.com == Detailed Description == SSSD ability to handle local users (/etc/passwd and /etc/group) using “id_provider=files” was previously deprecated and future removal announced both [https://sssd.io/release-notes/sssd-2.9.0.html#general-information upstream] and in [https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/Security/#_the_sssd_files_provider_has_been_deprecated Fedora 38 RNs].<br> [https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache FlexibleLocalUserCache] change disabled this feature by default even earlier. The reason for this movement is that benefits of the feature appeared to be negligible, while confusion and overhead it creates is considerable.<br> Practically, there are only two use cases that currently justify usage of “files provider”: * smart card authentication of local users; * session recording for local users. For both cases “proxy provider” is a viable substitute, so “files provider” can be dropped. SSSD maintainers will provide a document on [https://sssd.io/ sssd.io] describing how to switch (where it’s really needed!) == Feedback == So far we received no pushback (and practically no feedback at all) with regards to previous deprecation notices and removal announcements. == Benefit to Fedora == Alignment with upstream development that plans to remove corresponding code completely. Cleaner/simpler OS configuration (/etc/nsswitch.conf and authselect profiles). == Scope == * Proposal owners: ** SSSD package will be built without `--with-files-provider` ./configure option; document describing usage of 'proxy provider' in aforementioned cases will be provided; ** authselect *** New “local” profile to handle local users without SSSD will be introduced. This profile will be based on “minimal”, but it may gain more features. *** “minimal” profile will be removed and replaced by “local”. *** “Local” profile will be now the default profile *** ‘sssd’ profile will lose `with-files-domain` and `with-files-access-provider` options, and will gain `--with-tlog` option. * Other developers: ** cockpit session recording: configuration of session recording with local users was switched to ‘proxy-provider’, change will be made to execute authselect –with-tlog; ** shadow-utils: package will be built with `--without-sssd` configuration option set. * Release engineering: [https://pagure.io/releng/issue/11765 #11765] (proposed composes definition [https://pagure.io/fork/atikhonov/fedora-comps/c/7e7a8e23dc884ec65059494d71768bed63f98de2?branch=sssd-updates change]) * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Community Initiatives: N/A == Upgrade/compatibility impact == Since the feature was turned off by default since Fedora 35 ([https://fedoraproject.org/wiki/Changes/FlexibleLocalUserCache FlexibleLocalUserCache]), this change won’t have any noticeable impact on the vast majority of the user base.<br> Those who were configuring it explicitly and for a good reason, will have to update SSSD configuration manually to use ‘proxy provider’ instead of ‘files provider’. == How To Test == General regression testing. == User Experience == N/A == Dependencies == sssd, authselect, cockpit-session-recording, shadow-utils == Contingency Plan == * Contingency mechanism: revert SSSD spec file changes * Contingency deadline: Fedora 40 beta freeze * Blocks release? No == Documentation == Release notes only. == Release Notes == Previously deprecated SSSD “files provider” feature that allows handling of local users was removed. This doesn’t affect default configuration where local users are handled by glibc module (‘libnss_files.so.2’) In case of specific configuration that requires SSSD to handle local users (like, for example, smart card authentication of local users) switch to ‘proxy provider’ instead. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue