[Freeipa-users] substitute local system groups by ipa groups
Rob Crittenden
rcritten at redhat.com
Wed Oct 14 19:08:29 UTC 2015
Natxo Asenjo wrote:
> hi,
>
> On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
>
> What is it you expect or desire to happen in this case?
>
>
> sorry, I thought it was obvious. To create a wheel ipa group. Members of
> this group are automatically 'root' in sudoers in plenty of
> distributions ( centos 7, just tested):
>
> ## Allows people in group wheel to run all commands
> %wheel ALL=(ALL) ALL
>
> and in policykit I see this as well:
>
> # cat 50-default.rules
> /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
>
> // DO NOT EDIT THIS FILE, it will be overwritten on update
> //
> // Default rules for polkit
> //
> // See the polkit(8) man page for more information
> // about configuring polkit.
>
> polkit.addAdminRule(function(action, subject) {
> return ["unix-group:wheel"];
> });
>
>
> So there is already an existing infrastructure for the wheel group that
> is waiting to be used ;-)
>
> Hopefully this makes it clear.
Ok, that's what I thought, didn't want to assume. It is my understanding
that nss returns the first match it finds, in this case the system-local
wheel group. There is no merging in SSSD AFAIK.
rob
More information about the Freeipa-users
mailing list