This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] nsswitch: Add group merging support

On 12/29/2015 04:58 PM, Mike Frysinger wrote:
> On 16 Dec 2015 10:11, Stephen Gallagher wrote:
>> == Justification ==
>> It is common today for users to rely on centrally-managed user stores for
>> handling their user accounts. However, much software existing today does
>> not have an innate understanding of such accounts. Instead, they commonly
>> rely on membership in known groups for managing access-control (for
>> example the "wheel" group on Fedora and RHEL systems or the "adm" group
>> on Debian-derived systems). In the present incarnation of nsswitch, the
>> only way to have such groups managed by a remote user store such as
>> FreeIPA or Active Directory would be to manually remove the groups from
>> /etc/group on the clients so that nsswitch would then move past nss_files
>> and into the SSSD, nss-ldap or other remote user database.
> you've lost me.  the whole point of nsswitch.conf is to let the admin
> explicitly control the order and precedence of look up sources.  so if
> you want to look up other sources, fix your /etc/nsswitch.conf to list
> the remote sources first over /etc/groups.


Did Stephen's response answer your question?

Nobody has objected to the new "merge" functionality, and to be honest,
because it has no ABI/API impact we could add it without any impact to
late stage testing.

I'd like to see this feature in 2.23, but would also like to see some
review that people think this is a good solution.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]