-   Linux - Networking (
-   -   Grant domain user access like he is in netdev group (

bgstack15 05-31-2019 04:48 PM

Grant domain user access like he is in netdev group
The debian paradigm for granting users access to control network resources is to add him to group netdev.

I know that technically you can "gpasswd -a bgstack15 netdev" when bgstack15 is a domain account. But do I have to enumerate all my domain users and add them to this local group? That sounds unwieldy.

Is there a solution out there? I am investigating writing custom dbus or policykit policies, but I was hoping somebody has a definitive answer for this topic.

I also need a similar solution for groups audio and video (and maybe even lp and lpadmin, not sure yet).

I already tried making a freeipa group named "netdev" and adding all users. And a "getent group -s sss netdev" works, but it won't list those users when doing a non-specific "getent group netdev." Would removing the local group netdev work? Is that a bad thing to do? I guess if I tried that, I'd have to chgrp all the files to the new gid (but does that persist on /dev?).

pan64 06-02-2019 10:36 AM

I think you will destroy your linux box if you remove the local netdev group. But you are free to try.
audio and video may work that way.

I think you need to find another way, something like sudo (or similar)

bgstack15 10-11-2019 10:56 AM

General solution
I solved the problem! The full write-up is on my blog ( but here is the summary:

Use pam_group.

sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
        required               use_first_pass

Update pam and choose the new option we just made, "Activate /etc/security/group.conf."

Configure nsswitch.conf (only with glibc >= 2.24)

sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf
Make local gids match the domain gids, for any of the groups you want to merge.

test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for word in netdev video audio dip ;
      tgid="$( getent group -s  sss  "${word}" | awk -F':' '{print $3}' )"
      ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"
  } 2>/dev/null
  # if group exists locally and in domain
  test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
      # use sed because groupmod fails because the new GID already exists
      sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group
      # log to stdout and logfile
      printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"

All times are GMT -5. The time now is 12:24 PM.