From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Fri, 23 Feb 2024 15:49:09 +0100 Subject: [PATCH 1/3] rhel10: remove systemd-homed systemd-homed is not present in rhel. --- profiles/local/README | 3 --- profiles/local/password-auth | 4 ---- profiles/local/system-auth | 4 ---- profiles/nis/README | 3 --- profiles/nis/REQUIREMENTS | 3 --- profiles/nis/password-auth | 4 ---- profiles/nis/system-auth | 4 ---- profiles/sssd/README | 3 --- profiles/sssd/REQUIREMENTS | 3 --- profiles/sssd/password-auth | 4 ---- profiles/sssd/system-auth | 4 ---- profiles/winbind/README | 3 --- profiles/winbind/REQUIREMENTS | 3 --- profiles/winbind/password-auth | 4 ---- profiles/winbind/system-auth | 4 ---- 15 files changed, 53 deletions(-) diff --git a/profiles/local/README b/profiles/local/README index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644 --- a/profiles/local/README +++ b/profiles/local/README @@ -54,9 +54,6 @@ with-mdns4:: with-mdns6:: Enable multicast DNS over IPv6. -with-systemd-homed:: - If set, pam_systemd_homed is enabled for all pam operations. - with-libvirt:: Enable connecting to libvirt VMs using the hostname configured in the guest OS or, as a fallback, their name. diff --git a/profiles/local/password-auth b/profiles/local/password-auth index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644 --- a/profiles/local/password-auth +++ b/profiles/local/password-auth @@ -4,17 +4,14 @@ auth required pam_faillock.so preauth auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth required pam_faillock.so authfail {include if "with-faillock"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -24,7 +21,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/local/system-auth b/profiles/local/system-auth index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644 --- a/profiles/local/system-auth +++ b/profiles/local/system-auth @@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth required pam_faillock.so authfail {include if "with-faillock"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -25,7 +22,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/nis/README b/profiles/nis/README index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644 --- a/profiles/nis/README +++ b/profiles/nis/README @@ -65,9 +65,6 @@ with-mdns4:: with-mdns6:: Enable multicast DNS over IPv6. -with-systemd-homed:: - If set, pam_systemd_homed is enabled for all pam operations. - without-nullok:: Do not add nullok parameter to pam_unix. diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644 --- a/profiles/nis/REQUIREMENTS +++ b/profiles/nis/REQUIREMENTS @@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} {include if "with-libvirt"} - with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} - {include if "with-systemd-homed"} -- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} - - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644 --- a/profiles/nis/password-auth +++ b/profiles/nis/password-auth @@ -4,17 +4,14 @@ auth required pam_faillock.so preauth auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth required pam_faillock.so authfail {include if "with-faillock"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so broken_shadow -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -24,7 +21,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644 --- a/profiles/nis/system-auth +++ b/profiles/nis/system-auth @@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth required pam_faillock.so authfail {include if "with-faillock"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so broken_shadow -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -25,7 +22,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/sssd/README b/profiles/sssd/README index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -106,9 +106,6 @@ with-gssapi:: with-subid:: Enable SSSD as a source of subid database in /etc/nsswitch.conf. -with-systemd-homed:: - If set, pam_systemd_homed is enabled for all pam operations. - without-nullok:: Do not add nullok parameter to pam_unix. diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644 --- a/profiles/sssd/REQUIREMENTS +++ b/profiles/sssd/REQUIREMENTS @@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo - with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"} {include if "with-libvirt"} - with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} - {include if "with-systemd-homed"} -- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} - - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -16,14 +15,12 @@ auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so account sufficient pam_localuser.so {exclude if "with-files-access-provider"} account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so local_users_only password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -35,7 +32,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} auth sufficient pam_sss_gss.so {include if "with-gssapi"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular @@ -23,14 +22,12 @@ auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so account sufficient pam_localuser.so {exclude if "with-files-access-provider"} account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so local_users_only password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -42,7 +39,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/winbind/README b/profiles/winbind/README index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644 --- a/profiles/winbind/README +++ b/profiles/winbind/README @@ -75,9 +75,6 @@ with-mdns4:: with-mdns6:: Enable multicast DNS over IPv6. -with-systemd-homed:: - If set, pam_systemd_homed is enabled for all pam operations. - without-nullok:: Do not add nullok parameter to pam_unix. diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644 --- a/profiles/winbind/REQUIREMENTS +++ b/profiles/winbind/REQUIREMENTS @@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} {include if "with-libvirt"} - with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} - {include if "with-systemd-homed"} -- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} - - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644 --- a/profiles/winbind/password-auth +++ b/profiles/winbind/password-auth @@ -4,7 +4,6 @@ auth required pam_faillock.so preauth auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -13,14 +12,12 @@ auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} account required pam_permit.so -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so local_users_only password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -31,7 +28,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644 --- a/profiles/winbind/system-auth +++ b/profiles/winbind/system-auth @@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth sufficient pam_unix.so {if not "without-nullok":nullok} -auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -14,14 +13,12 @@ auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} -account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} account required pam_permit.so -password sufficient pam_systemd_home.so {include if "with-systemd-homed"} password requisite pam_pwquality.so local_users_only password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} @@ -32,7 +29,6 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -session optional pam_systemd_home.so {include if "with-systemd-homed"} -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -- 2.42.0