[Freeipa-users] How do you have users be given a local group?
Jakub Hrozek
jhrozek at redhat.com
Tue Apr 25 19:50:55 UTC 2017
On Tue, Apr 25, 2017 at 02:43:11PM -0400, greg at greg-gilbert.com wrote:
> I saw this question come up way back in the archives, so I thought I'd
> ask to see if there's a better way to do it.
>
> Basically I want users who log into my servers that run the FreeIPA
> client to be given the local usergroup DOCKER.
I think this is what you're looking for:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging
If you're running a libc version that supports this feature, you'd
define the docker group on the IPA side with the same GID, then SSSD
would deliver the group to libc and libc would merge the results from
the local and the remote groups.
> Is there a way to do
> that? Is it controlled from the FreeIPA server, or is it something (e.g.
> PolicyKit?) that needs to be run on each client?
PolicyKit is the piece that enforces a policy decision based on the
group membership, the trick here is to merge local and remove groups.
>
> If it matters, the clients are running Ubuntu 16.04.
I'm sorry, I don't know if this feature is present Ubuntu 16.04..
More information about the Freeipa-users
mailing list