Hi,
I have a requirement where human users will be logging in with their AD accounts. However, there are some applications that create local user and group and at times, the AD users may need to work on the application, view/edit files owned by the application user/group, run programs etc. Therefore we need to create some sort of mapping between the AD users and the local group.
After coming through this mailing list, I realized that the recommendation is to add the remote AD users into the local group by way of modifying /etc/group file. What I am wondering is that, is this the only way to solve the problem or is there any other way (presumably better way) to handle this?
I am using Puppet already. Therefore I think I may use the augeas provider to edit /etc/group file to add the users. I also need to devise a way so that users can be deleted from /etc/group easily in an automated fashion. Has anyone got any tips under their sleeve that can be used to roll out this feature in a lot of servers?
Thanks,
On Sun, May 05, 2019 at 04:11:34PM -0000, soham chakraborty wrote:
Hi,
I have a requirement where human users will be logging in with their AD accounts. However, there are some applications that create local user and group and at times, the AD users may need to work on the application, view/edit files owned by the application user/group, run programs etc. Therefore we need to create some sort of mapping between the AD users and the local group.
After coming through this mailing list, I realized that the recommendation is to add the remote AD users into the local group by way of modifying /etc/group file. What I am wondering is that, is this the only way to solve the problem or is there any other way (presumably better way) to handle this?
I am using Puppet already. Therefore I think I may use the augeas provider to edit /etc/group file to add the users. I also need to devise a way so that users can be deleted from /etc/group easily in an automated fashion. Has anyone got any tips under their sleeve that can be used to roll out this feature in a lot of servers?
If you can ensure that the remote group and the local group will always have the same name and GID, then perhaps you could use: https://sourceware.org/glibc/wiki/Proposals/GroupMerging
sssd-users@lists.fedorahosted.org