On Tue, Apr 25, 2017 at 02:43:11PM -0400, g...@greg-gilbert.com wrote:
> I saw this question come up way back in the archives, so I thought I'd
> ask to see if there's a better way to do it.
>
> Basically I want users who log into my servers that run the FreeIPA
> client to be given the local usergroup DOCKER.
I think this is what you're looking for:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging
If you're running a libc version that supports this feature, you'd
define the docker group on the IPA side with the same GID, then SSSD
would deliver the group to libc and libc would merge the results from
the local and the remote groups.
> Is there a way to do
> that? Is it controlled from the FreeIPA server, or is it something (e.g.
> PolicyKit?) that needs to be run on each client?
PolicyKit is the piece that enforces a policy decision based on the
group membership, the trick here is to merge local and remove groups.
>
> If it matters, the clients are running Ubuntu 16.04.
I'm sorry, I don't know if this feature is present Ubuntu 16.04..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
