----- Original Message ----- > From: "Rob Crittenden" <[email protected]> > To: "Natxo Asenjo" <[email protected]>, [email protected] > Sent: Wednesday, October 14, 2015 3:08:29 PM > Subject: Re: [Freeipa-users] substitute local system groups by ipa groups > > Natxo Asenjo wrote: > > hi, > > > > On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Natxo Asenjo wrote: > > > hi, > > > > > > can you do something like this? > > > > > > ipa group-add wheel --gid=10 > > > > > > to substitute the local group wheel? Of course nsswitch.conf > > > indicates > > > local groups get found first ( group: files sss) but, would it work > > > and > > > is it supported? > > > > What is it you expect or desire to happen in this case? > > > > > > sorry, I thought it was obvious. To create a wheel ipa group. Members of > > this group are automatically 'root' in sudoers in plenty of > > distributions ( centos 7, just tested): > > > > ## Allows people in group wheel to run all commands > > %wheel ALL=(ALL) ALL > > > > and in policykit I see this as well: > > > > # cat 50-default.rules > > /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */ > > > > // DO NOT EDIT THIS FILE, it will be overwritten on update > > // > > // Default rules for polkit > > // > > // See the polkit(8) man page for more information > > // about configuring polkit. > > > > polkit.addAdminRule(function(action, subject) { > > return ["unix-group:wheel"]; > > }); > > > > > > So there is already an existing infrastructure for the wheel group that > > is waiting to be used ;-) > > > > Hopefully this makes it clear. > > Ok, that's what I thought, didn't want to assume. It is my understanding > that nss returns the first match it finds, in this case the system-local > wheel group. There is no merging in SSSD AFAIK.
FYI: we are working on this problem: https://sourceware.org/glibc/wiki/Proposals/GroupMerging Stephen has patches for glibc, not sure what is th status of the submission yet though. Simo. -- Simo Sorce * Red Hat, Inc. * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
