Description of problem: I suggest the following changes to authselect profile nis (see also bug 1626067#c10): Files password-auth and system-auth: - We should removed "local_users_only" from password pam_pwquality.so entry, because password quality should also be applied to nis passwords, because nis (yppasswdd) doesn't check passwords for quality. The option "local_users_only" may be useful for FreeIPA which does it's own checks, but not for nis. password requisite pam_pwquality.so try_first_pass Admins may add files to /etc/security/pwquality.conf.d/ to modify pwquality parameters. - We should added "nis" to password pam_unix.so, so passwords in nis can be changed with "passwd" command (and not (only) with yppasswd, which doesn't use pwquality). > password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok - nis supports more services than currently in nsswitch.conf of profile nis. I use the following changes: [root@myhost ~]# diff --ignore-space-change /usr/share/authselect/default/nis/nsswitch.conf /etc/authselect/custom/imsnis/nsswitch.conf 1,2c1 < passwd: files nis < group: files nis --- > passwd: files nis systemd 3a3,4 > group: files nis systemd > hosts: files nis mdns4_minimal dns myhostname 6c7,16 < hosts: files nis dns myhostname --- > ethers: files nis > aliases: files nis > netmasks: files nis > networks: files nis > services: files > sudoers: files > protocols: files > rpc: files > # bootparams: files > # publickey: files Version-Release number of selected component (if applicable): authselect-libs-1.0-1.fc28.x86_64 How reproducible: Always
Thanks. I opened several upstream tickets to solve these separately: * https://github.com/pbrezina/authselect/issues/86 * https://github.com/pbrezina/authselect/issues/87 * https://github.com/pbrezina/authselect/issues/88 * https://github.com/pbrezina/authselect/issues/89
I also opened: * https://github.com/pbrezina/authselect/issues/90 Pull request: https://github.com/pbrezina/authselect/pull/91 Could you please see the nis profile in this scratch build? Differences can be found in the pull request. https://koji.fedoraproject.org/koji/taskinfo?taskID=29649507
Thanks for the update. Issue 87, 88, 89 are solved, but there are still some problems: - sssd doen't support caching for maps hosts. Because maps hosts are looked up very often, I use nscd for caching nis maps. But sssd and nscd should not run together. I had sssd.service disabled - when I have started it, because you have added sss to passwd and group entries in nsswitch.conf, I got the following message: NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services]. It is recommended not to run NSCD in parallel with SSSD, unless NSCD is configured not to cache these. I also have tried sssd for caching nis maps in the past, with id_provider=proxy (and other values set for our nis domain), but with no success. It didn't work - nis maps wasn't found by the system. So I have disabled sssd and enabled nscd on nis clients. It also works to have sssd running and nscd disabled, and and sssd configured not to cache nis maps (e.g. leave sssd.conf in default (packaged) configuration). Then local files passwd and group are cached by sssd, but all nis maps are not cached. But network access to a nis server takes much longer than access to local files in /etc. So I prefer for nis clients nscd instead of sssd. But then the question is if it is useful to have sss entries in nsswitch.conf? - In nsswitch.conf the host line does not contain mdns4_minimal. This causes that host names in .local domain cannot be resolved. See also bug 1577243. $ ssh anotherhost.local ssh: Could not resolve hostname anotherhost.local: Name or service not known - Not mentioned before, but it may be the time for change: I am wondering why null passwords are allowed (by default). It is a security risk to allow user accounts without a password. Usually sshd is running, and such accounts can be used by anyone (and any bot) that tries them. I think it is worth to check if option "nullok" can be removed from pam_unix.so: # grep nullok /usr/share/authselect/default/nis/* /usr/share/authselect/default/nis/password-auth:auth sufficient pam_unix.so nullok try_first_pass /usr/share/authselect/default/nis/password-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis /usr/share/authselect/default/nis/system-auth:auth sufficient pam_unix.so nullok try_first_pass /usr/share/authselect/default/nis/system-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
Thank you for your input, it is highly appreciated. Can you please try this build? https://koji.fedoraproject.org/koji/taskinfo?taskID=29792066 Changes: 1) I discussed with my colleagues if it makes sense to have sssd enabled in nis profile, we decided not to include it. So feel free to disable sssd and use nscd instead for everything. 2) I added lots of options to disable specific lines in profile's nsswitch. You can use 'authselect select nis with-custom-hosts' and then set your value including mdns in /etc/authselect/user-nsswitch.conf. However, if you have a larger environment I recommend you to stick with custom profile and propagate it to all your machines. See: https://github.com/pbrezina/authselect/pull/91/commits/55448dbcd95b1f3097b387976e0ec7d310a1bfc3 3) I added 'without-nullok' feature to disable nullok parameter with pam_unix.
authselect-1.0.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-18cdaf94c1
authselect-1.0.1-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-29bdc75404
authselect-1.0.1-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-29bdc75404
authselect-1.0.1-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-18cdaf94c1
authselect-1.0.1-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-738a0e5f83
authselect-1.0.1-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-00221867d7
authselect-1.0.1-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-738a0e5f83
authselect-1.0.1-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-00221867d7
(In reply to Pavel Březina from comment #4) > Thank you for your input, it is highly appreciated. Can you please try this > build? > https://koji.fedoraproject.org/koji/taskinfo?taskID=29792066 Sorry for late testing. Now I have tested authselect-1.0.1-2.fc28 - it works fine. I think all changes from the scatch build are included in authselect-1.0.1-2.fc28? Now nis profile is almost perfect - the only thing that doesn't fit is the host line in nsswitch.conf - it doesn't contain mdns4_minimal and we can't configure it. We need to use feature with-custom-hosts and manually modify /etc/authselect/user-nsswitch.conf. We should be able to define "mdns4_minimal [NOTFOUND=return]", "mdns6_minimal [NOTFOUND=return]" or "mdns_minimal [NOTFOUND=return]", for example by a feature. This would also solve bug #1577243 - then they can use "authselect enable-feature with-custom-hosts" and "authselect disable-feature with-custom-hosts" instead of their sed script. Thank you very much for including my ideas and suggestions!
authselect-1.0.1-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Edgar Hoch from comment #13) > (In reply to Pavel Březina from comment #4) > > Thank you for your input, it is highly appreciated. Can you please try this > > build? > > https://koji.fedoraproject.org/koji/taskinfo?taskID=29792066 > > Sorry for late testing. Now I have tested authselect-1.0.1-2.fc28 - it works > fine. I think all changes from the scatch build are included in > authselect-1.0.1-2.fc28? Yes. Thank you for testing. > Now nis profile is almost perfect - the only thing that doesn't fit is the > host line in nsswitch.conf - it doesn't contain mdns4_minimal and we can't > configure it. We need to use feature with-custom-hosts and manually modify > /etc/authselect/user-nsswitch.conf. Yes. This is the intention. > We should be able to define "mdns4_minimal [NOTFOUND=return]", > "mdns6_minimal [NOTFOUND=return]" or "mdns_minimal [NOTFOUND=return]", for > example by a feature. > This would also solve bug #1577243 - then they can use "authselect > enable-feature with-custom-hosts" and "authselect disable-feature > with-custom-hosts" instead of their sed script. Unfortunately, this is not doable. There are many many nss modules available and we can not include all of them in upstream profiles. Thus we decided to have only basic nsswitch.conf that works for most users and if anyone wants to install additional modules he/she needs to either create custom profile or now they have the ability to disable specific line and user user-nsswitch.conf instead. If you need to distribute the configuration across multiple machines, custom profile is the best choice since you have full control over the configuration. > Thank you very much for including my ideas and suggestions! Happy to help.
authselect-1.0.1-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.