[SOLVED] Grant domain user access like he is in netdev group

bgstack15 · 05-31-2019, 03:48 PM

The debian paradigm for granting users access to control network resources is to add him to group netdev.

I know that technically you can "gpasswd -a bgstack15 netdev" when bgstack15 is a domain account. But do I have to enumerate all my domain users and add them to this local group? That sounds unwieldy.

Is there a solution out there? I am investigating writing custom dbus or policykit policies, but I was hoping somebody has a definitive answer for this topic.

I also need a similar solution for groups audio and video (and maybe even lp and lpadmin, not sure yet).

I already tried making a freeipa group named "netdev" and adding all users. And a "getent group -s sss netdev" works, but it won't list those users when doing a non-specific "getent group netdev." Would removing the local group netdev work? Is that a bad thing to do? I guess if I tried that, I'd have to chgrp all the files to the new gid (but does that persist on /dev?).

pan64 · 06-02-2019, 09:36 AM

I think you will destroy your linux box if you remove the local netdev group. But you are free to try.
audio and video may work that way.

I think you need to find another way, something like sudo (or similar)

bgstack15 · 10-11-2019, 09:56 AM

I solved the problem! The full write-up is on my blog (https://bgstack15.wordpress.com/2019...local-devices/) but here is the summary:

Use pam_group.

Code:

tf=/usr/share/pam-configs/my_groups
sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass
EOF

Update pam and choose the new option we just made, "Activate /etc/security/group.conf."

Code:

pam-auth-update

Configure nsswitch.conf (only with glibc >= 2.24)

Code:

sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf

Make local gids match the domain gids, for any of the groups you want to merge.

Code:

test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for word in netdev video audio dip ;
do
   {
      tgid="$( getent group -s  sss  "${word}" | awk -F':' '{print $3}' )"
      ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"
   } 2>/dev/null
   # if group exists locally and in domain
   test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
      # use sed because groupmod fails because the new GID already exists
      sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group
      # log to stdout and logfile
      printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"
   }
done