On 07/30/2015 07:42 AM, Domenico Viggiani wrote:
You can put any centralized account into a local group, but you need to do it on all clients. I have an LDAP account "jhrozek" that is a member of local group mock:
$ grep mock /etc/group mock:x:135:jhrozek
OK, I know but I'd like to avoid to insert AD developers' account in the local group one by one :(
Thanks again
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
i have a setup that allows me to centrally manage local groups. maybe it can help here.
because i am using RFC2307bis in openldap, which windows AD supports, i can have groupOfNames groups with an additional objectClass of posixGroup.
i installed the migrationtools package, so i could use the scripts to create the posix user, group, etc info in ldap. it took some minor modifications to the scripts to output the data in ldif format according to my DIT hierarchy. i then ran the script and imported the ldif. i now have all the posix info in my DIT.
by adding the posixAccount objectClass to my user object in ldap, which has the inetOrgPerson structural objectClass, i can add uid/gid values to the object. if i add my user object to one of the groupOfNames groups that has the additional posixAccount objectClass, i can see my id in that group when i log into a box and run "id".
using sssd, and configuring /etc/nsswitch.conf to point to sss for group, as primary and files as secondary, i get to use the centrally managed local groups on all of my hosts. i make one change and all devices get the update (upon logout and then login). nsswitch.conf points passwd, shadow, sudoers, netgroup, and automount to files as primary and sss as secondary. i made sure to leave passwd as files first, so that root is always local, and can login should the network or directory not be available.