LinuxQuestions.org - [SOLVED] Grant domain user access like he is in netdev group

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Grant domain user access like he is in netdev group (https://www.linuxquestions.org/questions/linux-networking-3/grant-domain-user-access-like-he-is-in-netdev-group-4175654935/)

Grant domain user access like he is in netdev group

The debian paradigm for granting users access to control network resources is to add him to group netdev.

I know that technically you can "gpasswd -a bgstack15 netdev" when bgstack15 is a domain account. But do I have to enumerate all my domain users and add them to this local group? That sounds unwieldy.

Is there a solution out there? I am investigating writing custom dbus or policykit policies, but I was hoping somebody has a definitive answer for this topic.

I also need a similar solution for groups audio and video (and maybe even lp and lpadmin, not sure yet).

I already tried making a freeipa group named "netdev" and adding all users. And a "getent group -s sss netdev" works, but it won't list those users when doing a non-specific "getent group netdev." Would removing the local group netdev work? Is that a bad thing to do? I guess if I tried that, I'd have to chgrp all the files to the new gid (but does that persist on /dev?).

I think you will destroy your linux box if you remove the local netdev group. But you are free to try.
audio and video may work that way.

I think you need to find another way, something like sudo (or similar)

General solution

I solved the problem! The full write-up is on my blog (https://bgstack15.wordpress.com/2019...local-devices/) but here is the summary:

Use pam_group.

Code:

tf=/usr/share/pam-configs/my_groups

sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"

cat <<EOF | sudo tee "${tf}" 1>/dev/null

Name: activate /etc/security/group.conf

Default: yes

Priority: 900

Auth-Type: Primary

Auth:

        required                        pam_group.so use_first_pass

EOF

Update pam and choose the new option we just made, "Activate /etc/security/group.conf."

Code:

pam-auth-update

Configure nsswitch.conf (only with glibc >= 2.24)

Code:

sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf

Make local gids match the domain gids, for any of the groups you want to merge.

Code:

test -z "${LOGFILE}" && LOGFILE=/root/deploy.log

for word in netdev video audio dip ;

do

  {

      tgid="$( getent group -s  sss  "${word}" | awk -F':' '{print $3}' )"

      ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"

  } 2>/dev/null

  # if group exists locally and in domain

  test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {

      # use sed because groupmod fails because the new GID already exists

      sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group

      # log to stdout and logfile

      printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"

  }

done