[Freeipa-users] substitute local system groups by ipa groups
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Oct 14 18:51:23 UTC 2015
hi,
On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
>
> What is it you expect or desire to happen in this case?
>
sorry, I thought it was obvious. To create a wheel ipa group. Members of
this group are automatically 'root' in sudoers in plenty of distributions
( centos 7, just tested):
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
and in policykit I see this as well:
# cat 50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
So there is already an existing infrastructure for the wheel group that is
waiting to be used ;-)
Hopefully this makes it clear.
--
regards,
natxo
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151014/3b94dbaa/attachment.htm>
More information about the Freeipa-users
mailing list