new cookbook: fb_sssd

This is a very simple cookbook to manage `sssd` a common staple on
modern Linux machines - both servers and client machines.

I've tried to stick as close as possible to my recollection of the
internal FB cookbook. Other than some extra symlinks and a bit of
internal config, I think this should be a nearly drop-in replacement
that will be easy to migrate to.

Author: jaymzh

cookbooks/fb_init_sample/metadata.rb

@@ -58,6 +58,7 @@
 depends 'fb_sdparm'
 depends 'fb_securetty'
 depends 'fb_smartmon'
+depends 'fb_sssd'
 depends 'fb_storage'
 depends 'fb_stunnel'
 depends 'fb_sudo'

cookbooks/fb_init_sample/recipes/default.rb

@@ -49,6 +49,7 @@
   include_recipe 'fb_launchd'
 end
 include_recipe 'fb_nsswitch'
+include_recipe 'fb_sssd'
 # HERE: ssh
 include_recipe 'fb_less'
 if node.linux? && !node.embedded? && !node.container?

cookbooks/fb_sssd/README.md

@@ -0,0 +1,55 @@
+fb_sssd Cookbook
+================
+Manage sssd configuration
+
+Requirements
+------------
+
+Attributes
+----------
+* node['fb_sssd']['enable']
+* node['fb_sssd']['manage_packages']
+* node['fb_sssd']['config']
+
+Usage
+-----
+### enable
+
+Enable will install, setup, and start sssd if `true`, and will stop and
+uninstall it if `false` (default).
+
+### manage_packages
+
+If true (default) will install or uninstall packages based on `enable`. Otherwise does not touch packages.
+
+### config
+
+The config is a two-level hash where the top-level hash is the **section** of the INI file (`/etc/sssd/sssd.conf`), and the hash under that is key-value pairs. For example:
+
+```ruby
+node.default['fb_sssd']['config']['nss']['default_shell'] = '/bin/bash'
+```
+
+is rendered as:
+
+```text
+[nss]
+default_shell = /bin/bash
+```
+
+If the value is an array it is joined into a string using `, `, ala:
+
+```ruby
+node.default['fb_sssd']['config']['sssd']['services'] = [
+  'nss',
+  'pam',
+  'ssh',
+]
+```
+
+will be rendered as:
+
+```text
+[sssd]
+services = nss, pam, ssh
+```

cookbooks/fb_sssd/attributes/default.rb

@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2025-present, Meta Platforms, Inc.
+# Copyright (c) 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['fb_sssd'] = {
+  'enable' => false,
+  'manage_packages' => true,
+  'config' => {
+    'sssd' => {
+      'config_file_version' => 2,
+    },
+  },
+}

cookbooks/fb_sssd/metadata.rb

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2019-present, Vicarious, Inc.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'fb_sssd'
+maintainer 'Facebook'
+maintainer_email '[email protected]'
+license 'Apache-2.0'
+source_url 'https://github.com/facebook/chef-cookbooks/'
+description 'Installs/Configures sssd'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+supports 'centos'
+supports 'debian'
+supports 'ubuntu'
+# never EVER change this number, ever.
+version '0.1.0'

cookbooks/fb_sssd/recipes/default.rb

@@ -0,0 +1,94 @@
+#
+# Cookbook:: fb_sssd
+# Recipe:: default
+#
+# Copyright (c) 2025-present, Meta Platforms, Inc.
+# Copyright (c) 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+packages = %w{
+  sssd
+  sssd-ad
+  sssd-common
+  sssd-dbus
+  sssd-ipa
+  sssd-krb5
+  sssd-krb5-common
+  sssd-ldap
+  sssd-proxy
+  sssd-tools
+}
+
+extra_packages = value_for_platform_family(
+  ['fedora', 'rhel'] => ['sssd-client'],
+  ['debian'] => ['sssd-ad-common'],
+)
+
+packages += extra_packages
+
+package packages do
+  only_if { node['fb_sssd']['enable'] && node['fb_sssd']['manage_packages'] }
+  action :upgrade
+end
+
+package 'remove sssd' do
+  not_if { node['fb_sssd']['enable'] }
+  package_name packages
+  action :remove
+end
+
+template '/etc/sssd/sssd.conf' do
+  only_if { node['fb_sssd']['enable'] }
+  owner 'root'
+  group 'root'
+  mode '0600'
+  notifies :restart, 'service[sssd]'
+end
+
+file '/etc/sssd/sssd.conf' do
+  not_if { node['fb_sssd']['enable'] }
+  action :delete
+end
+
+Dir.glob('/etc/sssd/conf.d/*').each do |f|
+  file f do
+    only_if { node['fb_sssd']['enable'] }
+    action :delete
+  end
+end
+
+service 'sssd' do
+  only_if { node['fb_sssd']['enable'] }
+  action [:enable, :start]
+  # nsswitch is before sssd (for good reasons), but that means on first
+  # boot, we'll trigger on the nsswitch notification and try to restart
+  # even when we can't. This could of course happen outside of firstboot
+  # so if the binary isn't there at compile time, don't bother setting up
+  # the notification. This is safe: if the binary isn't there, it can't
+  # be running and therefore can't have an old config... it will then be
+  # started by this resource
+  if File.exist?('/usr/sbin/sssd')
+    subscribes :restart, 'template[/etc/nsswitch.conf]', :immediately
+  end
+end
+
+service 'disable sssd' do
+  not_if { node['fb_sssd']['enable'] }
+  # once the package is removed, this fails, sadly
+  only_if { ::File.exist?('/lib/systemd/system/sssd.service') }
+  service_name 'sssd'
+  action [:stop, :disable]
+end

cookbooks/fb_sssd/templates/sssd.conf.erb

@@ -0,0 +1,7 @@
+# This file is managed by Chef, do not edit manually!
+<% node['fb_sssd']['config'].each do |section, conf| %>
+[<%= section %>]
+<%   conf.each do |key, val| %>
+<%=    key %> = <%= val.is_a?(Array) ? val.join(', ') : val %>
+<%   end %>
+<% end %>