[Pkg-sssd-devel] Bug#761173: libnss-sss: Enable shadow entry for sss in /etc/nsswitch.conf?

[Petter Reinholdtsen]

Package: libnss-sss
Version: 1.11.6-1
Tags: patch
User: debian-edu at lists.debian.org
Usertags: debian-edu

Hi.

While working on the next version of Debian Edu, I had a closer look
at how libnss-sss update /etc/nsswitch.conf during installation, and
one thing confused me.  In Debian Edu we update nsswitch.conf to use
sss as a backend also for the shadow database.  Why is this not done
by default when libnss-sss is installed?  


Without shadow listed in nsswitch.conf, information about account
expiring do not propagate from LDAP to the Linux clients.

I notice from the 1.10.0-1 changelog that the shadow update was
removed becaus sssd did not support shadow maps then, but according to
<URL: http://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/Configuring_Services.html >
the shadow map is supported now (along passwd, groups, netgroups and
services), and the sssd-ldap manual page indicate the same.

Please add shadow back to the list of nsswitch.conf databases enabled
automatically during installation.  This patch should fix it:

diff -ur sssd-1.11.6/debian/libnss-sss.postinst sssd-1.11.6-pere/debian/libnss-sss.postinst
--- sssd-1.11.6/debian/libnss-sss.postinst      2014-09-11 13:41:23.000000000 +0200
+++ sssd-1.11.6-pere/debian/libnss-sss.postinst 2014-09-11 13:46:21.868017365 +0200
@@ -22,7 +22,7 @@
     fi
     # append 'sss' to the end of the line if it's not found already
     sed -i --regexp-extended '
-      /^(passwd|group|netgroup):/ {
+      /^(passwd|shadow|group|netgroup):/ {
         /\bsss\b/! s/$/ sss/
       }
     ' /etc/nsswitch.conf

Perhaps the services database should be updated too?

-- 
Happy hacking
Petter Reinholdtsen