Not sure if this helps but I've found on my fedora machines installing Spotify 
via lpf requires adding my user to the pkg-build group.

When I do that it seems to persist on that machine without effecting groups on 
other machines.  Maybe worth a shot. Might be best to do it then clear sss 
cache and reboot see if the groups persist on the specific machine.

20 Dec 2022 18:14:59 Ranbir via FreeIPA-users 
<[email protected]>:

> On Tue, 2022-12-20 at 08:22 +0200, Alexander Bokovoy via FreeIPA-users
> wrote:
>> FreeIPA does not provide generation capabilities in itself. These
>> things
>> are specific to individual deployments and their logic is impossible
>> to
>> automate in a generic way without exposing some kind of a general
>> purpose language to express it. So we aren't going to implement this
>> when all you can do is to use ansible-freeipa to define your logic
>> and
>> actions already.
> 
> I don't understand why it would be so hard. I'll try to explain better
> how it might work.
> 
> 1. 700 users get workstations
> 2. we put all users into a "workstation" user group
> 3. an HBAC rule "allow_workstation" is created for the "workstation"
>    user group to login using the Services sshd, sudo, su, and su-l,
>    as well as an HBAC Service Group called gnome
> 4. In the host records for each of the workstations, we select which
>    user is the "admin" for that workstation.
> 5. IPA creates internally a Sudo rule for the user and workstation
>    pair that gives that user "admin" control (i.e. all commands
>    allowed as root/anyone)
> 
> That's it. freeipa would be doing on its own and tracking internally
> what we would have to do anyway via ansible or the web UI. Nothing
> fancy or complicated. Why would this be difficult to support within
> freeipa? I apologize if this is a dumb question. :P
> 
> Some background info: we have many hundreds of workstations we want to
> bring into our new IPA deployment and new ones are being added all of
> the time. I don't want to use local sudo rules and I also don't want to
> create sudo rules approaching 1000 in number. Both are dumb solutions,
> even with ansible.
> 
> Please feel free to hammer my take on this! :)
> 
> -- 
> Ranbir
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to