Discussion:
[Freeipa-users] How do you have users be given a local group?
g***@greg-gilbert.com
2017-04-25 18:43:11 UTC
Permalink
I saw this question come up way back in the archives, so I thought I'd
ask to see if there's a better way to do it.

Basically I want users who log into my servers that run the FreeIPA
client to be given the local usergroup DOCKER. Is there a way to do
that? Is it controlled from the FreeIPA server, or is it something (e.g.
PolicyKit?) that needs to be run on each client?

If it matters, the clients are running Ubuntu 16.04.

Thanks!
Jakub Hrozek
2017-04-25 19:50:55 UTC
Permalink
Post by g***@greg-gilbert.com
I saw this question come up way back in the archives, so I thought I'd
ask to see if there's a better way to do it.
Basically I want users who log into my servers that run the FreeIPA
client to be given the local usergroup DOCKER.
I think this is what you're looking for:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

If you're running a libc version that supports this feature, you'd
define the docker group on the IPA side with the same GID, then SSSD
would deliver the group to libc and libc would merge the results from
the local and the remote groups.
Post by g***@greg-gilbert.com
Is there a way to do
that? Is it controlled from the FreeIPA server, or is it something (e.g.
PolicyKit?) that needs to be run on each client?
PolicyKit is the piece that enforces a policy decision based on the
group membership, the trick here is to merge local and remove groups.
Post by g***@greg-gilbert.com
If it matters, the clients are running Ubuntu 16.04.
I'm sorry, I don't know if this feature is present Ubuntu 16.04..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...