Currently, authselect is not mandatory and tries to go out of the way if the user makes local changes. However, making it mandatory has advantages: * All components can rely on configurations to be consistent across installations * We can roll out fixes for configurations (such as the pam_fprintd.so issue in F34) more easily
This could also replace patching of glibc confinguration files by packages. For an example, see “rpm -q --scripts systemd-libs”. The ad-hoc patching often does not take into account that the system administrator does not want to enable certain functionality: it tends to come back as the result of package upgrades.
(In reply to Florian Weimer from comment #1) > This could also replace patching of glibc confinguration files by packages. > For an example, see “rpm -q --scripts systemd-libs”. Or "rpm -q --scripts nss-mdns" Is there a reason why we'd need to wait another 8 months to get a stable Fedora with that problem fixed though?
Thank you for creating this tracking bug. I believe making authselect mandatory requires some bigger code and packaging changes that needs to be carefully design. From the top of my head, it should take ownership of the whole pam.d directory and not just few selected files and also own nsswitch.conf and drop support for manual nsswitch.conf edits. I do plan to submit a system wide change page for Fedora 36.
Change page was accepted: https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory
FEDORA-2021-c2b61f2725 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c2b61f2725
FEDORA-2021-c2b61f2725 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.