Natxo Asenjo wrote: > hi, > > On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Natxo Asenjo wrote: > > hi, > > > > can you do something like this? > > > > ipa group-add wheel --gid=10 > > > > to substitute the local group wheel? Of course nsswitch.conf indicates > > local groups get found first ( group: files sss) but, would it work and > > is it supported? > > What is it you expect or desire to happen in this case? > > > sorry, I thought it was obvious. To create a wheel ipa group. Members of > this group are automatically 'root' in sudoers in plenty of > distributions ( centos 7, just tested): > > ## Allows people in group wheel to run all commands > %wheel ALL=(ALL) ALL > > and in policykit I see this as well: > > # cat 50-default.rules > /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */ > > // DO NOT EDIT THIS FILE, it will be overwritten on update > // > // Default rules for polkit > // > // See the polkit(8) man page for more information > // about configuring polkit. > > polkit.addAdminRule(function(action, subject) { > return ["unix-group:wheel"]; > }); > > > So there is already an existing infrastructure for the wheel group that > is waiting to be used ;-) > > Hopefully this makes it clear.
Ok, that's what I thought, didn't want to assume. It is my understanding that nss returns the first match it finds, in this case the system-local wheel group. There is no merging in SSSD AFAIK. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
