Not sure if this helps but I've found on my fedora machines installing Spotify via lpf requires adding my user to the pkg-build group.
When I do that it seems to persist on that machine without effecting groups on other machines. Maybe worth a shot. Might be best to do it then clear sss cache and reboot see if the groups persist on the specific machine. 20 Dec 2022 18:14:59 Ranbir via FreeIPA-users <[email protected]>: > On Tue, 2022-12-20 at 08:22 +0200, Alexander Bokovoy via FreeIPA-users > wrote: >> FreeIPA does not provide generation capabilities in itself. These >> things >> are specific to individual deployments and their logic is impossible >> to >> automate in a generic way without exposing some kind of a general >> purpose language to express it. So we aren't going to implement this >> when all you can do is to use ansible-freeipa to define your logic >> and >> actions already. > > I don't understand why it would be so hard. I'll try to explain better > how it might work. > > 1. 700 users get workstations > 2. we put all users into a "workstation" user group > 3. an HBAC rule "allow_workstation" is created for the "workstation" > user group to login using the Services sshd, sudo, su, and su-l, > as well as an HBAC Service Group called gnome > 4. In the host records for each of the workstations, we select which > user is the "admin" for that workstation. > 5. IPA creates internally a Sudo rule for the user and workstation > pair that gives that user "admin" control (i.e. all commands > allowed as root/anyone) > > That's it. freeipa would be doing on its own and tracking internally > what we would have to do anyway via ansible or the web UI. Nothing > fancy or complicated. Why would this be difficult to support within > freeipa? I apologize if this is a dumb question. :P > > Some background info: we have many hundreds of workstations we want to > bring into our new IPA deployment and new ones are being added all of > the time. I don't want to use local sudo rules and I also don't want to > create sudo rules approaching 1000 in number. Both are dumb solutions, > even with ansible. > > Please feel free to hammer my take on this! :) > > -- > Ranbir > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
