This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] nsswitch: Add group merging support
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Stephen Gallagher <sgallagh at redhat dot com>, Mike Frysinger <vapier at gentoo dot org>
- Cc: libc-alpha at sourceware dot org
- Date: Wed, 20 Jan 2016 15:32:35 -0500
- Subject: Re: [PATCH] nsswitch: Add group merging support
- Authentication-results: sourceware.org; auth=none
- References: <1450278701-1787-1-git-send-email-sgallagh at redhat dot com> <20151229215854 dot GC25803 at vapier dot lan>
On 12/29/2015 04:58 PM, Mike Frysinger wrote:
> On 16 Dec 2015 10:11, Stephen Gallagher wrote:
>> == Justification ==
>> It is common today for users to rely on centrally-managed user stores for
>> handling their user accounts. However, much software existing today does
>> not have an innate understanding of such accounts. Instead, they commonly
>> rely on membership in known groups for managing access-control (for
>> example the "wheel" group on Fedora and RHEL systems or the "adm" group
>> on Debian-derived systems). In the present incarnation of nsswitch, the
>> only way to have such groups managed by a remote user store such as
>> FreeIPA or Active Directory would be to manually remove the groups from
>> /etc/group on the clients so that nsswitch would then move past nss_files
>> and into the SSSD, nss-ldap or other remote user database.
> you've lost me. the whole point of nsswitch.conf is to let the admin
> explicitly control the order and precedence of look up sources. so if
> you want to look up other sources, fix your /etc/nsswitch.conf to list
> the remote sources first over /etc/groups.
Did Stephen's response answer your question?
Nobody has objected to the new "merge" functionality, and to be honest,
because it has no ABI/API impact we could add it without any impact to
late stage testing.
I'd like to see this feature in 2.23, but would also like to see some
review that people think this is a good solution.