Bug 578463

Description of problem:
Right now, if NIS or Winbind are selected for , authconfig will use the traditional approach of configuring the service and adding it to nsswitch.conf.

With the SSSD available, it's preferable to take advantage of the id_provider=proxy setting instead. This allows these classic interfaces to take advantage of the SSSD's caching features.

The way this would work is that the NIS or winbind configuration would be set up exactly as usual, except that the configuration in nsswitch.conf would be different, and there would be an entry in sssd.conf.

nsswitch.conf (NIS example):

passwd files sss
group files sss
netgroup files nis
automount files nis
shadow files nis     (if the NIS password option is selected, sss otherwise)

Then sssd.conf would include:
[domain/default]
id_provider = proxy
proxy_lib_name = nis

# For NIS password:
# No entries needed, since NIS uses shadow, as mentioned above

# Or Kerberos password:
auth_provider = krb5
chpass_provider = krb5
krb5_kdcip = kdc.example.com
krb5_realm = EXAMPLE.COM
krb5_kpasswd = kpasswd.example.com



nsswitch.conf (Winbind example):

passwd files sss
group files sss
shadow files sss
netgroup files winbind
automount files winbind

sssd.conf:
[domain/default]
id_provider = proxy
proxy_lib_name = nis

auth_provider = proxy
proxy_pam_target = winbind


The proxy_pam_target is the name of a file in /etc/pam.d/<proxy_pam_target>. It should be a specialized PAM stack that calls the exact PAM modules necessary for authenticating winbind (Basically, it should consist of the entries that would previously have been added to system-auth-ac) This PAM stack is invoked by pam_sss.so, so it should not also be added to system-auth-ac.

e.g.
/etc/pam.d/winbind:
auth     required pam_winbind.so
account  [default=bad success=ok user_unknown=ignore] pam_winbind.so
password required pam_winbind.so use_authtok
session  optional pam_winbind.so


Version-Release number of selected component (if applicable):
authconfig-6.1.2-1.fc13