Bug 1427646

Summary: Set the order of NSS modules to "sss files systemd" for the "passwd" and "group" databases
Product: [Fedora] Fedora Reporter: Jakub Hrozek <jhrozek>
Component: glibcAssignee: Florian Weimer <fweimer>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: arjun.is, codonell, dj, fweimer, law, mfabian, pfrankli, siddhesh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glibc-2.25-3.fc26, glibc-2.25-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-01 13:10:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1357418    
Attachments:
Description Flags
a proposed patch none

Description Jakub Hrozek 2017-02-28 20:00:25 UTC 
Description of problem:
In order to support https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers we should change the order of the NSS modules configured in NSS switch so that sss comes before files

Version-Release number of selected component (if applicable):
glibc-2.25-1.fc26.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install sssd
2. systemctl start sssd
3. strace getent passwd $user_from_etc_passwd

Actual results:
/etc/passwd is opened and read on every request

Expected results:
The first request reads from /var/lib/sss/pipes/nss, subsequent requests read from /var/lib/sss/mc/passwd 

Additional info:
The first version in Fedora that ships the files provider is sssd-1.15.0-4.fc26 in case you want to add conflicts with a previous version of sssd-client.
Comment 1 Jakub Hrozek 2017-03-01 12:15:12 UTC 
Created attachment 1258662 [details]
a proposed patch

Reverses the order of the sss and files modules in nsswitch.conf. The shadow modules are not reversed -- and it would be pointless since sssd doesn't implement the shadow map and probably never will. We might as well remove sss from the shadow map altogether.
Comment 2 Florian Weimer 2017-03-01 13:10:02 UTC 
(In reply to Jakub Hrozek from comment #1)
> Created attachment 1258662 [details]
> a proposed patch
> 
> Reverses the order of the sss and files modules in nsswitch.conf. The shadow
> modules are not reversed -- and it would be pointless since sssd doesn't
> implement the shadow map and probably never will. We might as well remove
> sss from the shadow map altogether.

Thanks, applied.