LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-31-2019, 04:48 PM   #1
bgstack15
Member
 
Registered: Jul 2017
Distribution: korora
Posts: 69

Rep: Reputation: Disabled
Grant domain user access like he is in netdev group


The debian paradigm for granting users access to control network resources is to add him to group netdev.

I know that technically you can "gpasswd -a bgstack15 netdev" when bgstack15 is a domain account. But do I have to enumerate all my domain users and add them to this local group? That sounds unwieldy.

Is there a solution out there? I am investigating writing custom dbus or policykit policies, but I was hoping somebody has a definitive answer for this topic.

I also need a similar solution for groups audio and video (and maybe even lp and lpadmin, not sure yet).

I already tried making a freeipa group named "netdev" and adding all users. And a "getent group -s sss netdev" works, but it won't list those users when doing a non-specific "getent group netdev." Would removing the local group netdev work? Is that a bad thing to do? I guess if I tried that, I'd have to chgrp all the files to the new gid (but does that persist on /dev?).
 
Old 06-02-2019, 10:36 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 13,276

Rep: Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204Reputation: 4204
I think you will destroy your linux box if you remove the local netdev group. But you are free to try.
audio and video may work that way.

I think you need to find another way, something like sudo (or similar)
 
Old 10-11-2019, 10:56 AM   #3
bgstack15
Member
 
Registered: Jul 2017
Distribution: korora
Posts: 69

Original Poster
Rep: Reputation: Disabled
General solution

I solved the problem! The full write-up is on my blog (https://bgstack15.wordpress.com/2019...local-devices/) but here is the summary:

Use pam_group.
Code:
tf=/usr/share/pam-configs/my_groups
sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass
EOF
Update pam and choose the new option we just made, "Activate /etc/security/group.conf."
Code:
pam-auth-update
Configure nsswitch.conf (only with glibc >= 2.24)
Code:
sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf
Make local gids match the domain gids, for any of the groups you want to merge.
Code:
test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for word in netdev video audio dip ;
do
   {
      tgid="$( getent group -s  sss  "${word}" | awk -F':' '{print $3}' )"
      ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"
   } 2>/dev/null
   # if group exists locally and in domain
   test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
      # use sed because groupmod fails because the new GID already exists
      sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group
      # log to stdout and logfile
      printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"
   }
done
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Added myself to netdev but wicd says I still need to be in netdev enine Slackware 7 09-24-2010 08:36 AM
[SOLVED] wicd wants user added to netdev group, but it's already there (hal issues) quiescere Slackware 5 04-25-2010 02:59 AM
LXer: Include diff attachment -- Re: Fedora-netdev FC4: kernel-2.6.14-1.1656_FC4.netdev.7 is now available! LXer Syndicated Linux News 0 01-09-2006 09:01 PM
LXer: Fedora-netdev FC4: kernel-2.6.14-1.1653_FC4.netdev.6 is now available! LXer Syndicated Linux News 0 12-15-2005 02:32 PM
LXer: Fedora-netdev FC4: kernel-2.6.14-1.1644_FC4.netdev.5 is now available! LXer Syndicated Linux News 0 12-12-2005 04:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration