From 65a02177fa30930e24eaf054afe750269f55df2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C5=BD=C3=A1=C4=8Dek?= <jakub@zacekj.cz>
Date: Tue, 26 May 2026 18:02:29 +0200
Subject: [PATCH] Prioritize SSS over local accounts in nsswitch

Rewrites the passwd and group lines in /etc/nsswitch.conf so SSSD
is consulted before local files, and notifies the existing SSSD
restart handler so the change takes effect immediately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 initial_install/roles/freeipa_client/tasks/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/initial_install/roles/freeipa_client/tasks/main.yml b/initial_install/roles/freeipa_client/tasks/main.yml
index ec1e085..aec4b64 100644
--- a/initial_install/roles/freeipa_client/tasks/main.yml
+++ b/initial_install/roles/freeipa_client/tasks/main.yml
@@ -34,6 +34,16 @@
   no_log: false
   when: not ipa_client_conf.stat.exists
 
+- name: Prioritize SSS over local accounts in NSS
+  ansible.builtin.lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^{{ item }}:'
+    line: '{{ item }}: sss files systemd'
+  loop:
+    - passwd
+    - group
+  notify: Restart SSSD
+
 - name: Enable mkhomedir
   ansible.builtin.command:
     argv: