< Changes
Removing SSSD ‘files provider’
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Remove SSSD “files provider” feature that allows handling of local users.
Owner
- Name: Alexey Tikhonov, Pavel Březina
- Email: atikhono@redhat.com, pbrezina@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2023-11-13
- Discussion thread
- Announced
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SSSD ability to handle local users (/etc/passwd and /etc/group) using “id_provider=files” was previously deprecated and future removal announced both upstream and in Fedora 38 RNs.
FlexibleLocalUserCache change disabled this feature by default even earlier. The reason for this movement is that benefits of the feature appeared to be negligible, while confusion and overhead it creates is considerable.
Practically, there are only two use cases that currently justify usage of “files provider”:
- smart card authentication of local users;
- session recording for local users.
For both cases “proxy provider” is a viable substitute, so “files provider” can be dropped. SSSD maintainers will provide a document on sssd.io describing how to switch (where it’s really needed!)
Feedback
So far we received no pushback (and practically no feedback at all) with regards to previous deprecation notices and removal announcements.
Benefit to Fedora
Alignment with upstream development that plans to remove corresponding code completely. Cleaner/simpler OS configuration (/etc/nsswitch.conf and authselect profiles).
Scope
- Proposal owners:
- SSSD package will be built without
--with-files-provider./configure option; document describing usage of 'proxy provider' in aforementioned cases will be provided; - authselect
- New “local” profile to handle local users without SSSD will be introduced. This profile will be based on “minimal”, but it may gain more features.
- “minimal” profile will be removed and replaced by “local”.
- “Local” profile will be now the default profile
- ‘sssd’ profile will lose
with-files-domainandwith-files-access-provideroptions, and will gain--with-tlogoption.
- SSSD package will be built without
- Other developers:
- cockpit session recording: configuration of session recording with local users was switched to ‘proxy-provider’, change will be made to execute authselect –with-tlog;
- shadow-utils: package will be built with
--without-sssdconfiguration option set.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives: N/A
Upgrade/compatibility impact
Since the feature was turned off by default since Fedora 35 (FlexibleLocalUserCache), this change won’t have any noticeable impact on the vast majority of the user base.
Those who were configuring it explicitly and for a good reason, will have to update SSSD configuration manually to use ‘proxy provider’ instead of ‘files provider’.
How To Test
General regression testing.
User Experience
N/A
Dependencies
sssd, authselect, cockpit-session-recording, shadow-utils
Contingency Plan
- Contingency mechanism: revert SSSD spec file changes
- Contingency deadline: Fedora 40 beta freeze
- Blocks release? No
Documentation
Release notes only.
Release Notes
Previously deprecated SSSD “files provider” feature that allows handling of local users was removed. This doesn’t affect default configuration where local users are handled by glibc module (‘libnss_files.so.2’) In case of specific configuration that requires SSSD to handle local users (like, for example, smart card authentication of local users) switch to ‘proxy provider’ instead.