Discussion:
nsswitch.conf: list of module packages that enables themselves
Pavel Březina
2018-11-26 13:15:21 UTC
Permalink
This e-mail is long so I just put the question here before explanation:

Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.

Why?

As you might have noticed, in Fedora 28 we switched from authconfig to
authselect. This brought some adoption issues and feature requests which
we tried hard to resolved, mostly related to nsswitch.conf. Thank you
for all your feedback.

At this point I am aware of only one nsswitch.conf related issue that we
would like to fix. The problem is that when you choose to use authselect
you are no longer allowed to touch /etc/nsswitch.conf (and various file
in /etc/pam.d) manually but you should use authselect and its profiles
instead.

However, this does not work well for small environments (possibly single
user machines) where you want to just change something in nsswitch.conf
and do not want to create custom profile. For this, we introduced
/etc/authselect/user-nsswitch.conf and 'authselect apply-changes'
command to do this the authselect way (of course you are free to not use
authselect and just modify the files manually).

But there are some packages that installs nsswitch modules and
automatically puts them in /etc/nsswitch.conf in %post which conflicts
with authselect. We would like to provide an authselect call for these
packages, that would make sure it does not conflict with authselect [1].

I started working on a design for such feature and I'm trying to obtain
list of all packages that installs nsswitch modules and automatically
enable them in /etc/nsswitch.conf.

So far I was able to find these packages:
- nss-altfiles
- nss_db
- nss-mdns
- nss_nis
- nss-pam-ldapd
- nss_updatedb
- sssd
- systemd

But only two of them (nss-mdns, systemd) touches /etc/nsswitch.conf. Do
you know about any other package?

Thank you,
Pavel.

[1] https://github.com/pbrezina/authselect/issues/77
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/l
Stephen Gallagher
2018-11-26 13:21:22 UTC
Permalink
Post by Pavel Březina
Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.
Why?
As you might have noticed, in Fedora 28 we switched from authconfig to
authselect. This brought some adoption issues and feature requests which
we tried hard to resolved, mostly related to nsswitch.conf. Thank you
for all your feedback.
At this point I am aware of only one nsswitch.conf related issue that we
would like to fix. The problem is that when you choose to use authselect
you are no longer allowed to touch /etc/nsswitch.conf (and various file
in /etc/pam.d) manually but you should use authselect and its profiles
instead.
However, this does not work well for small environments (possibly single
user machines) where you want to just change something in nsswitch.conf
and do not want to create custom profile. For this, we introduced
/etc/authselect/user-nsswitch.conf and 'authselect apply-changes'
command to do this the authselect way (of course you are free to not use
authselect and just modify the files manually).
But there are some packages that installs nsswitch modules and
automatically puts them in /etc/nsswitch.conf in %post which conflicts
with authselect. We would like to provide an authselect call for these
packages, that would make sure it does not conflict with authselect [1].
I started working on a design for such feature and I'm trying to obtain
list of all packages that installs nsswitch modules and automatically
enable them in /etc/nsswitch.conf.
- nss-altfiles
- nss_db
- nss-mdns
- nss_nis
- nss-pam-ldapd
- nss_updatedb
- sssd
- systemd
But only two of them (nss-mdns, systemd) touches /etc/nsswitch.conf. Do
you know about any other package?
Thank you,
Pavel.
[1] https://github.com/pbrezina/authselect/issues/77
IIRC, doesn't autofs also use nsswitch.conf for configuration?

Also CCing Will Woods and James Antill who have been looking at
scriptlets in Fedora in general and may have further information
handy.
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorapr
Pavel Březina
2018-11-26 13:38:38 UTC
Permalink
Post by Stephen Gallagher
Post by Pavel Březina
Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.
Why?
As you might have noticed, in Fedora 28 we switched from authconfig to
authselect. This brought some adoption issues and feature requests which
we tried hard to resolved, mostly related to nsswitch.conf. Thank you
for all your feedback.
At this point I am aware of only one nsswitch.conf related issue that we
would like to fix. The problem is that when you choose to use authselect
you are no longer allowed to touch /etc/nsswitch.conf (and various file
in /etc/pam.d) manually but you should use authselect and its profiles
instead.
However, this does not work well for small environments (possibly single
user machines) where you want to just change something in nsswitch.conf
and do not want to create custom profile. For this, we introduced
/etc/authselect/user-nsswitch.conf and 'authselect apply-changes'
command to do this the authselect way (of course you are free to not use
authselect and just modify the files manually).
But there are some packages that installs nsswitch modules and
automatically puts them in /etc/nsswitch.conf in %post which conflicts
with authselect. We would like to provide an authselect call for these
packages, that would make sure it does not conflict with authselect [1].
I started working on a design for such feature and I'm trying to obtain
list of all packages that installs nsswitch modules and automatically
enable them in /etc/nsswitch.conf.
- nss-altfiles
- nss_db
- nss-mdns
- nss_nis
- nss-pam-ldapd
- nss_updatedb
- sssd
- systemd
But only two of them (nss-mdns, systemd) touches /etc/nsswitch.conf. Do
you know about any other package?
Thank you,
Pavel.
[1] https://github.com/pbrezina/authselect/issues/77
IIRC, doesn't autofs also use nsswitch.conf for configuration?
Yes, but it is not part of glibc. AFAIK it works similar to sudo -
lookup automount line in nsswitch.conf and acts according to its
settings. But it does not have proper support in glibc.
Post by Stephen Gallagher
Also CCing Will Woods and James Antill who have been looking at
scriptlets in Fedora in general and may have further information
handy.
Thanks.
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/lis
Ian Kent
2018-11-26 23:48:37 UTC
Permalink
Post by Pavel Březina
Post by Stephen Gallagher
Post by Pavel Březina
Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.
Why?
As you might have noticed, in Fedora 28 we switched from authconfig to
authselect. This brought some adoption issues and feature requests which
we tried hard to resolved, mostly related to nsswitch.conf. Thank you
for all your feedback.
At this point I am aware of only one nsswitch.conf related issue that we
would like to fix. The problem is that when you choose to use authselect
you are no longer allowed to touch /etc/nsswitch.conf (and various file
in /etc/pam.d) manually but you should use authselect and its profiles
instead.
However, this does not work well for small environments (possibly single
user machines) where you want to just change something in nsswitch.conf
and do not want to create custom profile. For this, we introduced
/etc/authselect/user-nsswitch.conf and 'authselect apply-changes'
command to do this the authselect way (of course you are free to not use
authselect and just modify the files manually).
But there are some packages that installs nsswitch modules and
automatically puts them in /etc/nsswitch.conf in %post which conflicts
with authselect. We would like to provide an authselect call for these
packages, that would make sure it does not conflict with authselect [1].
I started working on a design for such feature and I'm trying to obtain
list of all packages that installs nsswitch modules and automatically
enable them in /etc/nsswitch.conf.
- nss-altfiles
- nss_db
- nss-mdns
- nss_nis
- nss-pam-ldapd
- nss_updatedb
- sssd
- systemd
But only two of them (nss-mdns, systemd) touches /etc/nsswitch.conf. Do
you know about any other package?
Thank you,
Pavel.
[1] https://github.com/pbrezina/authselect/issues/77
IIRC, doesn't autofs also use nsswitch.conf for configuration?
Yes, but it is not part of glibc. AFAIK it works similar to sudo -
lookup automount line in nsswitch.conf and acts according to its
settings. But it does not have proper support in glibc.
Yes, automount uses the "automount:" line of nsswitch.conf.

It doesn't mess with nsswitch.conf and I'm not willing to
change a file autofs doesn't own, it's the users responsibility
to set the autofs map sources they need.

Umm .. "proper" ... I'll take that to just mean I don't use
the glibc API rather than a criticism of what I chose to do.

Originally I tried to use the glibc API and I even had autofs
specific nsswitch example code but I found I couldn't do what
I needed. When I did this I didn't have time to work through
the glibc API code to work out if it did provide what I needed
so I wrote my own parser.

If I need to change that then I'll need pointers to adequate
glibc nsswitch API documentation as I still don't want to dive
into the glibc code to work out how do this.

Ian
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/de
Pavel Březina
2018-11-27 09:57:49 UTC
Permalink
Post by Ian Kent
Post by Pavel Březina
Post by Stephen Gallagher
Post by Pavel Březina
Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.
Why?
As you might have noticed, in Fedora 28 we switched from authconfig to
authselect. This brought some adoption issues and feature requests which
we tried hard to resolved, mostly related to nsswitch.conf. Thank you
for all your feedback.
At this point I am aware of only one nsswitch.conf related issue that we
would like to fix. The problem is that when you choose to use authselect
you are no longer allowed to touch /etc/nsswitch.conf (and various file
in /etc/pam.d) manually but you should use authselect and its profiles
instead.
However, this does not work well for small environments (possibly single
user machines) where you want to just change something in nsswitch.conf
and do not want to create custom profile. For this, we introduced
/etc/authselect/user-nsswitch.conf and 'authselect apply-changes'
command to do this the authselect way (of course you are free to not use
authselect and just modify the files manually).
But there are some packages that installs nsswitch modules and
automatically puts them in /etc/nsswitch.conf in %post which conflicts
with authselect. We would like to provide an authselect call for these
packages, that would make sure it does not conflict with authselect [1].
I started working on a design for such feature and I'm trying to obtain
list of all packages that installs nsswitch modules and automatically
enable them in /etc/nsswitch.conf.
- nss-altfiles
- nss_db
- nss-mdns
- nss_nis
- nss-pam-ldapd
- nss_updatedb
- sssd
- systemd
But only two of them (nss-mdns, systemd) touches /etc/nsswitch.conf. Do
you know about any other package?
Thank you,
Pavel.
[1] https://github.com/pbrezina/authselect/issues/77
IIRC, doesn't autofs also use nsswitch.conf for configuration?
Yes, but it is not part of glibc. AFAIK it works similar to sudo -
lookup automount line in nsswitch.conf and acts according to its
settings. But it does not have proper support in glibc.
Yes, automount uses the "automount:" line of nsswitch.conf.
It doesn't mess with nsswitch.conf and I'm not willing to
change a file autofs doesn't own, it's the users responsibility
to set the autofs map sources they need.
Umm .. "proper" ... I'll take that to just mean I don't use
the glibc API rather than a criticism of what I chose to do.
Yes, no criticism. It was meant the other way around, that glibc does
not provide any autofs api. But again, not criticism for glibc either.
Post by Ian Kent
Originally I tried to use the glibc API and I even had autofs
specific nsswitch example code but I found I couldn't do what
I needed. When I did this I didn't have time to work through
the glibc API code to work out if it did provide what I needed
so I wrote my own parser.
If I need to change that then I'll need pointers to adequate
glibc nsswitch API documentation as I still don't want to dive
into the glibc code to work out how do this.
Ian
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/
DJ Delorie
2018-11-26 19:24:17 UTC
Permalink
Post by Pavel Březina
Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.
I don't know about enabling, but it's easy to ask the database what
packages provide NSS modules. Here's a run from my (sorry, old)
system:

$ dnf whatprovides '/usr/lib64/libnss_*'

sssd-client-1.16.0-4.fc26.x86_64 : SSSD Client libraries for NSS and PAM
Filename : /usr/lib64/libnss_sss.so.2

systemd-container-233-7.fc26.x86_64 : Tools for containers and VMs
Filename : /usr/lib64/libnss_mymachines.so.2

systemd-libs-233-7.fc26.x86_64 : systemd libraries
Filename : /usr/lib64/libnss_myhostname.so.2
Filename : /usr/lib64/libnss_resolve.so.2
Filename : /usr/lib64/libnss_systemd.so.2

glibc-nss-devel-2.25-13.fc26.x86_64 : Development files for directly linking NSS
: service modules
Filename : /usr/lib64/libnss_compat.so
Filename : /usr/lib64/libnss_db.so
Filename : /usr/lib64/libnss_dns.so
Filename : /usr/lib64/libnss_files.so
Filename : /usr/lib64/libnss_hesiod.so
Filename : /usr/lib64/libnss_nis.so
Filename : /usr/lib64/libnss_nisplus.so

libvirt-nss-3.2.1-7.fc26.x86_64 : Libvirt plugin for Name Service Switch
Filename : /usr/lib64/libnss_libvirt.so.2
Filename : /usr/lib64/libnss_libvirt_guest.so.2

samba-winbind-modules-2:4.6.15-0.fc26.x86_64 : Samba winbind modules
Filename : /usr/lib64/libnss_winbind.so
Filename : /usr/lib64/libnss_winbind.so.2
Filename : /usr/lib64/libnss_wins.so
Filename : /usr/lib64/libnss_wins.so.2

sssd-client-1.16.1-4.fc26.x86_64 : SSSD Client libraries for NSS and PAM
Filename : /usr/lib64/libnss_sss.so.2

systemd-container-233-7.fc26.x86_64 : Tools for containers and VMs
Filename : /usr/lib64/libnss_mymachines.so.2

systemd-libs-233-7.fc26.x86_64 : systemd libraries
Filename : /usr/lib64/libnss_myhostname.so.2
Filename : /usr/lib64/libnss_resolve.so.2
Filename : /usr/lib64/libnss_systemd.so.2

glibc-nss-devel-2.25-6.fc26.x86_64 : Development files for directly linking NSS
: service modules
Filename : /usr/lib64/libnss_compat.so
Filename : /usr/lib64/libnss_db.so
Filename : /usr/lib64/libnss_dns.so
Filename : /usr/lib64/libnss_files.so
Filename : /usr/lib64/libnss_hesiod.so
Filename : /usr/lib64/libnss_nis.so
Filename : /usr/lib64/libnss_nisplus.so

libnss-mysql-1.5-26.fc26.x86_64 : NSS library for MySQL
Filename : /usr/lib64/libnss_mysql.so.2
Filename : /usr/lib64/libnss_mysql.so.2.0.0

libnss-pgsql-1.5.0-0.15.beta.fc26.x86_64 : Name Service Switch library that
: interface with PostgreSQL
Filename : /usr/lib64/libnss_pgsql.so.2
Filename : /usr/lib64/libnss_pgsql.so.2.0.0

libvirt-nss-3.2.1-3.fc26.x86_64 : Libvirt plugin for Name Service Switch
Filename : /usr/lib64/libnss_libvirt.so.2
Filename : /usr/lib64/libnss_libvirt_guest.so.2

netresolve-core-0.0.1-0.17.20160317git.fc26.x86_64 : Core netresolve libraries
Filename : /usr/lib64/libnss_netresolve.so.2
Filename : /usr/lib64/libnss_netresolve.so.2.0.0

netresolve-devel-0.0.1-0.17.20160317git.fc26.x86_64 : Development files for
: netresolve
Filename : /usr/lib64/libnss_netresolve.so

nss-altfiles-2.18.1-8.fc26.x86_64 : NSS module to look up users in
: /usr/lib/passwd too
Filename : /usr/lib64/libnss_altfiles.so.2

nss-pam-ldapd-0.8.14-8.fc26.x86_64 : An nsswitch module which uses directory
: servers
Filename : /usr/lib64/libnss_ldap.so
Filename : /usr/lib64/libnss_ldap.so.2

nss_wrapper-1.1.3-2.fc26.x86_64 : A wrapper for the user, group and hosts NSS
: API
Filename : /usr/lib64/libnss_wrapper.so
Filename : /usr/lib64/libnss_wrapper.so.0
Filename : /usr/lib64/libnss_wrapper.so.0.2.3

samba-winbind-modules-2:4.6.5-0.fc26.x86_64 : Samba winbind modules
Filename : /usr/lib64/libnss_winbind.so
Filename : /usr/lib64/libnss_winbind.so.2
Filename : /usr/lib64/libnss_wins.so
Filename : /usr/lib64/libnss_wins.so.2

sssd-client-1.15.2-5.fc26.x86_64 : SSSD Client libraries for NSS and PAM
Filename : /usr/lib64/libnss_sss.so.2

systemd-container-233-6.fc26.x86_64 : Tools for containers and VMs
Filename : /usr/lib64/libnss_mymachines.so.2

systemd-libs-233-6.fc26.x86_64 : systemd libraries
Filename : /usr/lib64/libnss_myhostname.so.2
Filename : /usr/lib64/libnss_resolve.so.2
Filename : /usr/lib64/libnss_systemd.so.2
Pavel Březina
2018-11-27 10:11:46 UTC
Permalink
Post by DJ Delorie
Post by Pavel Březina
Do you know about any package that installs an nsswitch.conf module and
automatically enables it in /etc/nsswitch.conf? So far I have two
packages - nss-mdns and systemd.
I don't know about enabling, but it's easy to ask the database what
packages provide NSS modules. Here's a run from my (sorry, old)
$ dnf whatprovides '/usr/lib64/libnss_*'
Thanks, I forgot about this. I went through the list and the only
modules that writes into nsswitch.conf are systemd and nss-mdns.
_______________________________________________
devel mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to devel-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archi

Loading...