Grant domain user access like he is in netdev group
The debian paradigm for granting users access to control network resources is to add him to group netdev.
I know that technically you can "gpasswd -a bgstack15 netdev" when bgstack15 is a domain account. But do I have to enumerate all my domain users and add them to this local group? That sounds unwieldy. Is there a solution out there? I am investigating writing custom dbus or policykit policies, but I was hoping somebody has a definitive answer for this topic. I also need a similar solution for groups audio and video (and maybe even lp and lpadmin, not sure yet). I already tried making a freeipa group named "netdev" and adding all users. And a "getent group -s sss netdev" works, but it won't list those users when doing a non-specific "getent group netdev." Would removing the local group netdev work? Is that a bad thing to do? I guess if I tried that, I'd have to chgrp all the files to the new gid (but does that persist on /dev?). |
I think you will destroy your linux box if you remove the local netdev group. But you are free to try.
audio and video may work that way. I think you need to find another way, something like sudo (or similar) |
General solution
I solved the problem! The full write-up is on my blog (https://bgstack15.wordpress.com/2019...local-devices/) but here is the summary:
Use pam_group. Code:
tf=/usr/share/pam-configs/my_groups Code:
pam-auth-update Code:
sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf Code:
test -z "${LOGFILE}" && LOGFILE=/root/deploy.log |
All times are GMT -5. The time now is 01:43 PM. |