[Freeipa-users] substitute local system groups by ipa groups

Simo Sorce ssorce at redhat.com
Wed Oct 14 19:54:08 UTC 2015 

----- Original Message -----
> From: "Rob Crittenden" <rcritten at redhat.com>
> To: "Natxo Asenjo" <natxo.asenjo at gmail.com>, freeipa-users at redhat.com
> Sent: Wednesday, October 14, 2015 3:08:29 PM
> Subject: Re: [Freeipa-users] substitute local system groups by ipa groups
> 
> Natxo Asenjo wrote:
> > hi,
> > 
> > On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> > 
> >     Natxo Asenjo wrote:
> >     > hi,
> >     >
> >     > can you do something like this?
> >     >
> >     > ipa group-add wheel --gid=10
> >     >
> >     > to substitute the local group wheel? Of course nsswitch.conf
> >     > indicates
> >     > local groups get found first ( group: files sss) but, would it work
> >     > and
> >     > is it supported?
> > 
> >     What is it you expect or desire to happen in this case?
> > 
> > 
> > sorry, I thought it was obvious. To create a wheel ipa group. Members of
> > this group are automatically 'root'  in sudoers in plenty of
> > distributions ( centos 7, just tested):
> > 
> > ## Allows people in group wheel to run all commands
> > %wheel  ALL=(ALL)       ALL
> > 
> > and in policykit I see this as well:
> > 
> > # cat 50-default.rules
> > /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
> > 
> > // DO NOT EDIT THIS FILE, it will be overwritten on update
> > //
> > // Default rules for polkit
> > //
> > // See the polkit(8) man page for more information
> > // about configuring polkit.
> > 
> > polkit.addAdminRule(function(action, subject) {
> >     return ["unix-group:wheel"];
> > });
> > 
> > 
> > So there is already an existing infrastructure for the wheel group that
> > is waiting to be used ;-)
> > 
> > Hopefully this makes it clear.
> 
> Ok, that's what I thought, didn't want to assume. It is my understanding
> that nss returns the first match it finds, in this case the system-local
> wheel group. There is no merging in SSSD AFAIK.

FYI: we are working on this problem:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

Stephen has patches for glibc, not sure what is th status of the submission yet though.

Simo.


-- 
Simo Sorce * Red Hat, Inc. * New York

More information about the Freeipa-users mailing list