From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 15:49:09 +0100
Subject: [PATCH 1/3] rhel10: remove systemd-homed
systemd-homed is not present in rhel.
---
profiles/local/README | 3 ---
profiles/local/password-auth | 4 ----
profiles/local/system-auth | 4 ----
profiles/nis/README | 3 ---
profiles/nis/REQUIREMENTS | 3 ---
profiles/nis/password-auth | 4 ----
profiles/nis/system-auth | 4 ----
profiles/sssd/README | 3 ---
profiles/sssd/REQUIREMENTS | 3 ---
profiles/sssd/password-auth | 4 ----
profiles/sssd/system-auth | 4 ----
profiles/winbind/README | 3 ---
profiles/winbind/REQUIREMENTS | 3 ---
profiles/winbind/password-auth | 4 ----
profiles/winbind/system-auth | 4 ----
15 files changed, 53 deletions(-)
diff --git a/profiles/local/README b/profiles/local/README
index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644
--- a/profiles/local/README
+++ b/profiles/local/README
@@ -54,9 +54,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
with-libvirt::
Enable connecting to libvirt VMs using the hostname configured in the
guest OS or, as a fallback, their name.
diff --git a/profiles/local/password-auth b/profiles/local/password-auth
index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644
--- a/profiles/local/password-auth
+++ b/profiles/local/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/local/system-auth b/profiles/local/system-auth
index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644
--- a/profiles/local/system-auth
+++ b/profiles/local/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/README b/profiles/nis/README
index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -65,9 +65,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644
--- a/profiles/nis/REQUIREMENTS
+++ b/profiles/nis/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -106,9 +106,6 @@ with-gssapi::
with-subid::
Enable SSSD as a source of subid database in /etc/nsswitch.conf.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -16,14 +15,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -35,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
@@ -23,14 +22,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -42,7 +39,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -75,9 +75,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644
--- a/profiles/winbind/REQUIREMENTS
+++ b/profiles/winbind/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -4,7 +4,6 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -13,14 +12,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -31,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -14,14 +13,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -32,7 +29,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
--
2.42.0