Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Rob Crittenden
Natxo Asenjo wrote:
> hi,
> 
> can you do something like this?
> 
> ipa group-add wheel --gid=10
> 
> to substitute the local group wheel? Of course nsswitch.conf indicates
> local groups get found first ( group: files sss) but, would it work and
> is it supported?

What is it you expect or desire to happen in this case?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Simo Sorce
- Original Message -
> From: "Rob Crittenden" <rcrit...@redhat.com>
> To: "Natxo Asenjo" <natxo.ase...@gmail.com>, freeipa-users@redhat.com
> Sent: Wednesday, October 14, 2015 3:08:29 PM
> Subject: Re: [Freeipa-users] substitute local system groups by ipa groups
> 
> Natxo Asenjo wrote:
> > hi,
> > 
> > On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> > 
> > Natxo Asenjo wrote:
> > > hi,
> > >
> > > can you do something like this?
> > >
> > > ipa group-add wheel --gid=10
> > >
> > > to substitute the local group wheel? Of course nsswitch.conf
> > > indicates
> > > local groups get found first ( group: files sss) but, would it work
> > > and
> > > is it supported?
> > 
> > What is it you expect or desire to happen in this case?
> > 
> > 
> > sorry, I thought it was obvious. To create a wheel ipa group. Members of
> > this group are automatically 'root'  in sudoers in plenty of
> > distributions ( centos 7, just tested):
> > 
> > ## Allows people in group wheel to run all commands
> > %wheel  ALL=(ALL)   ALL
> > 
> > and in policykit I see this as well:
> > 
> > # cat 50-default.rules
> > /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
> > 
> > // DO NOT EDIT THIS FILE, it will be overwritten on update
> > //
> > // Default rules for polkit
> > //
> > // See the polkit(8) man page for more information
> > // about configuring polkit.
> > 
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:wheel"];
> > });
> > 
> > 
> > So there is already an existing infrastructure for the wheel group that
> > is waiting to be used ;-)
> > 
> > Hopefully this makes it clear.
> 
> Ok, that's what I thought, didn't want to assume. It is my understanding
> that nss returns the first match it finds, in this case the system-local
> wheel group. There is no merging in SSSD AFAIK.

FYI: we are working on this problem:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

Stephen has patches for glibc, not sure what is th status of the submission yet 
though.

Simo.


-- 
Simo Sorce * Red Hat, Inc. * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Rob Crittenden
Natxo Asenjo wrote:
> hi,
> 
> On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden  > wrote:
> 
> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
> 
> What is it you expect or desire to happen in this case?
> 
> 
> sorry, I thought it was obvious. To create a wheel ipa group. Members of
> this group are automatically 'root'  in sudoers in plenty of
> distributions ( centos 7, just tested):
> 
> ## Allows people in group wheel to run all commands
> %wheel  ALL=(ALL)   ALL
> 
> and in policykit I see this as well:
> 
> # cat 50-default.rules
> /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
> 
> // DO NOT EDIT THIS FILE, it will be overwritten on update
> //
> // Default rules for polkit
> //
> // See the polkit(8) man page for more information
> // about configuring polkit.
> 
> polkit.addAdminRule(function(action, subject) {
> return ["unix-group:wheel"];
> });
> 
> 
> So there is already an existing infrastructure for the wheel group that
> is waiting to be used ;-)
> 
> Hopefully this makes it clear.

Ok, that's what I thought, didn't want to assume. It is my understanding
that nss returns the first match it finds, in this case the system-local
wheel group. There is no merging in SSSD AFAIK.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Natxo Asenjo
hi,

On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
>
> What is it you expect or desire to happen in this case?
>

sorry, I thought it was obvious. To create a wheel ipa group. Members of
this group are automatically 'root'  in sudoers in plenty of distributions
( centos 7, just tested):

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)   ALL

and in policykit I see this as well:

# cat 50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});


So there is already an existing infrastructure for the wheel group that is
waiting to be used ;-)

Hopefully this makes it clear.

-- 
regards,
natxo


-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project