From 8917ef788c03df842b75708bcdff7ecb15120cdb Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: May 14 2018 08:40:55 +0000
Subject: Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)


It can be now enabled with 'authselect select sssd with-sudo',
see [1] for details.

[1] https://github.com/pbrezina/authselect/commit/4b1981a67216f56e67cff3887fe38ee8063ee0b2

---

diff --git a/0002-sssd-disable-sudo-by-default.patch b/0002-sssd-disable-sudo-by-default.patch
new file mode 100644
index 0000000..861da2c
--- /dev/null
+++ b/0002-sssd-disable-sudo-by-default.patch
@@ -0,0 +1,43 @@
+From 4b1981a67216f56e67cff3887fe38ee8063ee0b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 9 May 2018 14:27:56 +0200
+Subject: [PATCH] sssd: disable sudo by default
+
+SSSD's sudo responder is not enabled by default on Fedora systems,
+therefore having it enabled in nsswitch.conf produced warnings in
+logs or sudo mails.
+---
+ profiles/sssd/README        | 3 +++
+ profiles/sssd/nsswitch.conf | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/profiles/sssd/README b/profiles/sssd/README
+index d2e104f80ce1c1993c683f5c5331f09e8afa1ee9..a7e6e640eefa1268586169b7349e8ed6d062066f 100644
+--- a/profiles/sssd/README
++++ b/profiles/sssd/README
+@@ -50,6 +50,9 @@ with-fingerprint::
+ with-silent-lastlog::
+     Do not produce pam_lastlog message during login.
+ 
++with-sudo::
++    Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
++
+ EXAMPLES
+ --------
+ 
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index fa5d76a9594dca9b9e192af7774600451557e5c5..cde7964a8531ae2b5e28ed6bf5428731b80b6ece 100644
+--- a/profiles/sssd/nsswitch.conf
++++ b/profiles/sssd/nsswitch.conf
+@@ -3,7 +3,7 @@ group:      sss files
+ netgroup:   sss files
+ automount:  sss files
+ services:   sss files
+-sudoers:    files sss
++sudoers:    files {if "with-sudo":sss}
+ 
+ shadow:     files
+ ethers:     files
+-- 
+2.14.3
+
diff --git a/authselect.spec b/authselect.spec
index 391aaf8..62eea36 100644
--- a/authselect.spec
+++ b/authselect.spec
@@ -1,6 +1,6 @@
 Name:           authselect
 Version:        0.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Configures authentication and identity sources from supported profiles
 URL:            https://github.com/pbrezina/authselect
 
@@ -8,6 +8,7 @@ License:        GPLv3+
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
 
 Patch1:         0001-Don-t-disable-oddjobd.service.patch
+Patch2:         0002-sssd-disable-sudo-by-default.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -74,6 +75,7 @@ you develop a front-end for the authselect library.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 
 
 %build
@@ -175,6 +177,9 @@ fi
 exit 0
 
 %changelog
+* Wed May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
+- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
+
 * Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
 - Don't disable oddjobd.service (RHBZ #1571844)