Devuan freeipa domain users control local devices
The Debian method of granting access to devices like the network cards, audio output, printers, etc., is to add a user to the appropriate system group. For domain users, however, do I have to add every single domain user to the local group? I have sought an answer to this problem for a long time. After a lot of research, and coming back to the problem, I finally have a solution I find acceptable for general use and for sharing.
Overview
You have to adjust pam, nsswitch, and the local groups themselves. However, no additional packages should be needed!
Assumptions
I did this with lightdm display manager, which calls pam. During my research, I read on one of those pages somewhere that not all DMs use pam. Just make sure yours does. You have domain groups named netdev, plugdev, audio, etc. Making extra groups in the directory, with either nested groups or direct members, is a small price to pay for this goal!
The steps
Configure pam
You have to configure pam to include the pam_group library.
tf=/usr/share/pam-configs/my_groups
sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
EOF
And run the debian pam-auth-update program. Obviously there is not a EL equivalent, but then you can't have this problem on a EL derivative.
pam-auth-update
And select the option that we just wrote, "Activate /etc/security/group.conf"
Configure nsswitch.conf
Change the group: line in nsswitch.conf to the following:
group: compat [SUCCESS=merge] sss
You can accomplish that with a sed oneliner:
sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf
Change the local groups
To take advantage of the glibc group merging, you have to be using glibc 2.24 or higher, and Devuan Ceres has 2.28 so we're good. Also, the GIDs have to match exactly. Of course your GID range will be different from mine, but I wrote a general solution.
test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for word in netdev video audio dip ;
do
{
tgid="$( getent group -s sss "${word}" | awk -F':' '{print $3}' )"
ogid="$( getent group -s files "${word}" | awk -F':' '{print $3}' )"
} 2>/dev/null
# if group exists locally and in domain
test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
# use sed because groupmod fails because the new GID already exists
sed -i -r -e "/^${word}:/s/:${ogid}:/:${tgid}:/;" /etc/group
# log to stdout and logfile
printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${word} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"
}
done
This snippet changes the gid of the requested local groups, to match the gid of the netgroups. A reboot is required to get the updated permissions on the device special files.
References
Web searches
pam_group add domain user to netdev
Weblinks
- pam - Add all network users to local group for specific hosts in CentOS7 - Server Fault
- OpenLDAP/SSSD Automatically Add User to Local Group - Server Fault
- LDAPClientAuthentication - Community Help Wiki [help.ubuntu.com]
- Proposals/GroupMerging - glibc wiki
- SystemGroups - Debian Wiki
- My question from a few months ago Grant domain user access like he is in netdev group [linuxquestions.org]
Comments