[Freeipa-users] Different primary group on different machines.

[KodaK]

On Thu, Oct 25, 2012 at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 10/25/2012 03:11 PM, KodaK wrote:
>> On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>> On 10/25/2012 11:49 AM, KodaK wrote:
>>>> I've been having users use the "newgrp" command to change their
>>>> primary group on different machines.
>>>>
>>>> I've poked around in the docs a bit and I don't see this addressed.  I
>>>> know, I know: "if it works, use it" -- but I'm wondering if I'm just
>>>> missing a way to do it with IPA, or if there's another way to do it
>>>> that might be better.
>>>>
>>>> Any thoughts?
>>>>
>>>> Thanks,
>>>>
>>>> --Jason
>>>>
>>> By reading the description of the command it seems that it works only
>>> for local accounts.
>>> So I suspect it is not effective in any case when the users come from
>>> LDAP and not file.
>>>
>>> That brings the question: what is the use case and why you need it and
>>> subsequently is there any other way to solve the problem you are trying
>>> to solve with already existing means in SSSD?
>>>
>> I have users that need different primary groups on different machines.
>>  The newgrp command works -- unfortunately putting it in a login
>> script is a bad thing because newgrp reads those same login scripts,
>> creating an infinite loop.
>>
>> We have many different development groups, but people can be members
>> of multiple groups.  For collaboration, they'd like it when creating a
>> file to have that file have a group ownership of "foo" on machine-A,
>> but "bar" on machine-B.  I'd like to help the end users do this
>> themselves so that I don't have to maintain separate files on each
>> machine (one of the reasons I put in IPA in the first place. :) )
>>
>> Thanks,
>>
>> --Jason
> I see it to be solvable in two different ways.
> One centrally in IPA. Something like an extra attribute attached to HBAC
> rule that would denote the alternative default group. This is just from
> top of my head. I already see problems with this approach but anyways
> this is one direction.

I'd think it would have to be per-user or a separate policy area.
"these users" get "this pgrp" on "these servers".

> A different option is to have a local override in the sssd.conf and make
> SSSD swap primary group for the user but then you would have to
> configure it per user - not a nice approach too.
> Hmmm may be some kind of the sss_chache related utility that would
> update cache with the preferred GID, that would work as a command but
> has other implications - dealing with fast cache and server side changes
> that might override the value...
>
> Anyways not an easy fix. Can you please file an RFE?

Sure.  Where do I do that?  :)  (I'm kidding, I'll google it.)

> Would you be able to contribute some code for such feature?

I'd love to say I could, but I'm not really a coder, and my day job
has me working 50-60 hours a week as it is.  And when I say "I'd love
to" I really mean it.  I'd rather be doing that than my day job. :)

--Jason