0

I have been using RADIUS and TACACS+ AAA on CentOS 6 and need to duplicate that functionality on CentOS 8. However, the changes to how you now configure NSS confuse me. How do I make changes to nsswitch.conf? Specifically, on CentOS 6, I have been replacing passwd: files in /etc/nsswitch.conf with passwd: tacplus files for TACACS+ support and with passwd: mapname files mapuid for RADIUS support. (I also include corresponding rules to /etc/pam.d/sshd and login.) On CentOS 8, I see a warning in /etc/nsswitch.conf to not modify it. I tried what it says:

# If you want to make changes to nsswitch.conf please modify
# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'.

But that doesn't change nsswitch.conf.

plong
  • 101
  • 2
  • Read the next paragraph. – Michael Hampton Sep 02 '20 at 19:14
  • @MichaelHampton I did, but it still doesn't make sense. For example, is "selected profile" the same thing as "current profile?" The command, `authselect current`, shows `Profile ID: sssd`. Is that it? What is the `authselect profile`? Is that the same as "selected profile?" And what "user file" is the comment referring to? Is that the /etc/authselect/user-nsswitch.conf file? In the end, I still don't know how to change the passwd map in nsswitch.conf. NSS on CentOS 6 doesn't have profiles, sss, etc., and that's where I'm coming from. – plong Sep 02 '20 at 20:05
  • The authselect profile is the one you're using or the one you are considering to use. Probably you could write a new authselect profile that makes the changes to the files that you want. I've personally never had a reason to do this, so I can't advise whether this is easy or not. You also could just ignore authselect and make manual changes. It was run at system installation and if you never run it again it won't make any changes. – Michael Hampton Sep 02 '20 at 20:08
  • @MichaelHampton Oh, so are you saying just go ahead and edit /etc/nsswitch.conf directly, despite the warning? (I understand that it's just a symlink to /etc/authselect/nsswitch.conf.) That'd be fine by me. I just don't want to break anything. – plong Sep 02 '20 at 20:26
  • Well, keep a backup, of course. But typically `authselect` is only run once, by the installer, or a second time by the admin when switching to a different authentication method (e.g. NIS, winbind, Active Directory etc.). It seems unlikely you're going to do this. – Michael Hampton Sep 02 '20 at 20:32
  • This is an appliance where we manage whether RADIUS, TACACS+, or "files" are used for auth. We change the underlying config based on what the user specifies via a web interface. I'd really like to do it the "right" way on CentOS 8, which I assume means using authselect, but I just don't understand how. – plong Sep 02 '20 at 20:38
  • Making a new authselect profile seems like the way to go if the authentication configuration may be changed more than once in the lifetime of the server. The man pages for `authselect` (see the section for `create-profile`) and `authselect-profiles` seem to cover it in detail. – Michael Hampton Sep 02 '20 at 20:43

0 Answers0