Removing SSSD ‘files provider’

Summary

Remove SSSD “files provider” feature that allows handling of local users.

Owner

• Name: Alexey Tikhonov, Pavel Březina
• Email: atikhono@redhat.com, pbrezina@redhat.com

Current status

• Targeted release: Fedora Linux 40
• Last updated: 2024-02-28
• Discussion thread
• Announced
• FESCo issue: #3107
• Tracker bug: #2252765
• Release notes tracker: #1078

Detailed Description

SSSD ability to handle local users (/etc/passwd and /etc/group) using “id_provider=files” was previously deprecated and future removal announced both upstream and in Fedora 38 RNs.
FlexibleLocalUserCache change disabled this feature by default even earlier. The reason for this movement is that benefits of the feature appeared to be negligible, while confusion and overhead it creates is considerable.
Practically, there are only two use cases that currently justify usage of “files provider”:

• smart card authentication of local users;
• session recording for local users.

For both cases “proxy provider” is a viable substitute, so “files provider” can be dropped. Following article describes how to switch to “proxy provider” (where it’s really needed!)

Feedback

So far we received no pushback (and practically no feedback at all) with regards to previous deprecation notices and removal announcements.

Benefit to Fedora

Alignment with upstream development that plans to remove corresponding code completely. Cleaner/simpler OS configuration (/etc/nsswitch.conf and authselect profiles).

Scope

• Proposal owners:
  • SSSD package will be built without --with-files-provider ./configure option; document describing usage of 'proxy provider' in aforementioned cases will be provided;
  • authselect
    • New “local” profile to handle local users without SSSD will be introduced. This profile will be based on “minimal”, but it may gain more features.
    • “minimal” profile will be removed and replaced by “local”.
    • “Local” profile will be now the default profile
    • ‘sssd’ profile will lose with-files-domain and with-files-access-provider options, and will gain --with-tlog option.

• Other developers:
  • cockpit session recording: configuration of session recording with local users was switched to ‘proxy-provider’, change will be made to execute authselect –with-tlog;
  • shadow-utils: package will be built with --without-sssd configuration option set.

• Release engineering: #11765 (proposed composes definition change)

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

Since the feature was turned off by default since Fedora 35 (FlexibleLocalUserCache), this change won’t have any noticeable impact on the vast majority of the user base.
Those who were configuring it explicitly and for a good reason, will have to update SSSD configuration manually to use ‘proxy provider’ instead of ‘files provider’.

How To Test

General regression testing.

User Experience

N/A

Dependencies

sssd, authselect, cockpit-session-recording, shadow-utils

Contingency Plan

• Contingency mechanism: revert SSSD spec file changes
• Contingency deadline: Fedora 40 beta freeze
• Blocks release? No

Documentation

Release notes only.

Release Notes

Previously deprecated SSSD “files provider” feature that allows handling of local users was removed. This doesn’t affect default configuration where local users are handled by glibc module (‘libnss_files.so.2’) In case of specific configuration that requires SSSD to handle local users (like, for example, smart card authentication of local users) switch to ‘proxy provider’ instead.