I solved the problem! The full write-up is on my blog (
https://bgstack15.wordpress.com/2019...local-devices/) but here is the summary:
Use pam_group.
Code:
tf=/usr/share/pam-configs/my_groups
sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
EOF
Update pam and choose the new option we just made, "Activate /etc/security/group.conf."
Configure nsswitch.conf (only with glibc >= 2.24)
Code:
sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf
Make local gids match the domain gids, for any of the groups you want to merge.
Code:
test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for word in netdev video audio dip ;
do
{
tgid="$( getent group -s sss "${word}" | awk -F':' '{print $3}' )"
ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"
} 2>/dev/null
# if group exists locally and in domain
test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
# use sed because groupmod fails because the new GID already exists
sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group
# log to stdout and logfile
printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"
}
done