[Freeipa-users] Slight confusion about groups, netgroups, sudo rules etc.

Eivind Olsen eivind at aminor.no
Tue Mar 13 10:27:52 UTC 2012 

Hello.

I'm currently looking at implementing IPA in a mixed environment,
consisting of RHEL6, RHEL5 and Solaris 10 systems. The IPA server(s) is
the most recent one bundled with RHEL 6.2.

I have some general rules I'll need to follow as best as I can, but I'm
not really sure how to do this in IPA without it seeming like a huge
work-around. This seems easy enough had it been for a pure RHEL6
environment, but with Solaris there's no SSSD, I apparantly might need to
downgrade the encryption types for "older" Solaris 10, etc. All of this is
making my head dizzy, and I'd appreciate any help and pointers to clear my
mind :)

Examples of the basic rules are (there's more of them, it's not only for
the DNS servers for example, but the other cases can be solved in the same
way):
- all sysadmins should be allowed to log into every system in the realm
- all sysadmins should be allowed to run certain commands (or to make it
easy, any command) through the use of "sudo", on all systems
- some users will be part of certain groups, giving them permission to log
into certain servers and run a set of commands through "sudo", for
example: members of the dns-managers group should be allowed to ssh into
the DNS servers (which consist of both RHEL6 and Solaris 10), and run
certain commands through "sudo"
- certain other users will be allowed to log into some systems, but
without any additional access through "sudo" (the fact that they're
allowed to log into system X doesn't mean they should be allowed to become
root, etc).

I've read a suggestion about making a host group for the Red Hat systems,
a netgroup for the Solaris systems, and creating a user group which is
added as a member of both the host group and netgroup. But, will I still
need to worry about the old issue of Solaris apparantly not coping well
with users that have >16 additional groups to their name?

I have also read about having to add / change compatibility plugins,
having to downgrade the algorithm for the Solaris 10 encryption type for
older Solaris 10 releases, etc. And there's probably a few more things I
need to watch out for and that aren't directly mentioned in the IPA
documentation.

Oh, in case it matters - there's no common NFS home directories, so I'll
also need to automatically create the home directories (I've got this bit
sorted on RHEL6 with help from oddjob-mkhomedir). For Solaris, I've read
suggestions about using executable autofs maps to create home directories
in /export/home and have tham loopback-mounted to /home so they match the
homeDirectory attribute.

Regards
Eivind "Confused" Olsen

More information about the Freeipa-users mailing list