On 07/30/2015 07:42 AM, Domenico Viggiani wrote:
> You can put any centralized account into a local group, but you
> do it on all clients. I have an LDAP account "jhrozek" that is a member
> of local group mock:
> $ grep mock /etc/group
OK, I know but I'd like to avoid to insert AD developers' account in the local
group one by one :(
sssd-users mailing list
i have a setup that
allows me to centrally manage local groups. maybe it
can help here.
because i am using RFC2307bis in openldap, which windows AD supports, i
can have groupOfNames groups with an additional objectClass of posixGroup.
i installed the migrationtools package, so i could use the scripts to
create the posix user, group, etc info in ldap. it took some minor
modifications to the scripts to output the data in ldif format according
to my DIT hierarchy. i then ran the script and imported the ldif. i
now have all the posix info in my DIT.
by adding the posixAccount objectClass to my user object in ldap, which
has the inetOrgPerson structural objectClass, i can add uid/gid values
to the object. if i add my user object to one of the groupOfNames
groups that has the additional posixAccount objectClass, i can see my id
in that group when i log into a box and run "id".
using sssd, and configuring /etc/nsswitch.conf to point to sss for
group, as primary and files as secondary, i get to use the centrally
managed local groups on all of my hosts. i make one change and all
devices get the update (upon logout and then login). nsswitch.conf
points passwd, shadow, sudoers, netgroup, and automount to files as
primary and sss as secondary. i made sure to leave passwd as files
first, so that root is always local, and can login should the network or
directory not be available.