Removal of sss as standard on rhel7

[NissesSenap]

sss shoulden't be forced to be installed by the users to run a standard rhel 7.
Fix issue #42 RHEL7: sudoers and value sss

[NissesSenap]

@ghoneycutt i think there is something wrong with the travis job. Worked well when we ran the spec test locally.

[ghoneycutt]

I made PR #45 to fix travis

[ghoneycutt]

I thought that by default EL7 uses sss. If that is incorrect, could you point me toward some docs on the subject?

You can always override the defaults by specifying values in Hiera or class parameters.

[ghoneycutt]

If you rebase against master, you'll pick up the changes in PR #45

[NissesSenap]

@ghoneycutt after your comment i took a deeper look at what was standard in rhel 7.
Glibc is the packages that provdies nsswitch.conf and as standard the following is configured.

/etc/nsswitch.conf

passwd: files sss
shadow: files sss
group: files sss
initgroups: files

hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: nisplus sss

publickey: nisplus

automount: files nisplus
aliases: files nisplus

When looking at the sudo rpm I i couldn't find anything that updated the nsswitch with sudo. So I will be honest I didn’t manage to find where sudo is added to the nsswitch.conf file.

Im unable to find how redhat add sss to their sudo row but Ubuntu does it through libsss-sudo and it seems like redhat would handle it in a similar way.
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1249777

So after that I added back sss to all rhel 7 as standard except sudo.

[ghost]

I thought that by default EL7 uses sss. If that is incorrect, could you point me toward some docs on the subject?

Im unable to find how redhat add sss to their sudo row but Ubuntu does it through libsss-sudo and it seems like redhat would handle it in a similar way.

Enabling sss/sudo integration in nss on RHEL 7 is a manual process:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Services.html#sssd-ldap-sudo

The "minimal" RHEL 7 installation profile does not include any sss packages. The "base" profile adds sssd-client, but that does not include libsss_sudo as a dependency:
http://www.sysarchitects.com/rhel7-core-minimal-install-vs-base-infrastructure-server-packages

The "Directory Client" package group includes the sssd package which will pull in libsss_sudo as a dependency:
http://mirror.centos.org/centos/7/os/x86_64/repodata/38b60f66d52704cffb8696750b2b6552438c1ace283bc2cf22408b0ba0e4cbfa-c7-x86_64-comps.xml

Installing libsss_sudo does not pull in any additional sss packages.

[ghoneycutt]

So it seems that sss is what EL uses even if they dont have sssd-client in the minimal install.

You are proposing that we just remove it from sudoers as the default, which seems ok.