2

How would I add a network (sssd-ldap) user to a local group?
More specifically, how can I add all network users who log into a system to a local group?

It doesn't look like authconfig has a setting to add pam_group (unlike pam_access) and pam_group isn't there by default. I can edit the various pam files by hand, but if authconfig is run again, this is liable to lead to trouble.

In a sense I'm looking for the inverse of this question, though I'm using rfc2703bis schema (not that that should make a difference).

Unlike this question, I'm looking to add the users to pre-existing local groups, e.g. libvirt or tcpdump.

I'm aware that I can edit /etc/group for each new user, but I'm looking for something more robust. Making sure the pam stack includes pam_group would be less problematic than that.
This is actually what I'm doing already, but having to re-run the ansible play to do this every time a user is added or removed from the directory is a bit much.

Using group: files [SUCCESS=merge] sss doesn't seem to be an option yet as it was added in glibc 2.24, while CentOS7 uses glibc-2.17-106.el7_2.8 and I can't find any back port notes for this feature. It's still not an idle option though.

84104
  • 12,905
  • 6
  • 45
  • 76

2 Answers2

0

I'm not sure if authconfig calls pam-auth-update somewhere in it's code, but if you have added a config in /usr/lib/pam-configs and run authconfig or path-auth-update then it should read the file and inject pam_group at the appropriate location in the /etc/pam.d/ files. See this answer.

Something like the below in /usr/share/pam-config/load-groups should work.

Name: activate /etc/security/group.conf
Default: yes

Priority: 900
Auth-Type: Primary Auth:
        optional                        pam_group.so

The higher the priority number the earlier it is triggered, and pam_group doesn't actually verify the password so contrary to some other examples (like the official Ubuntu one) you can leave that off.

dragon788
  • 806
  • 8
  • 10
  • CentOS7 does not use `pam-auth-update`. That may be a debian, rather than an redhat, family feature. – 84104 Aug 22 '18 at 10:45
-1

Just edit /etc/groups and add your user there :)

I have my own LDAP user a member of the mock group so I can built RPMs in a chroot:

$ grep mock /etc/group
mock:x:135:jhrozek

The only catch is that you'll need to log out and back in because groups are established on login only.

jhrozek
  • 1,370
  • 6
  • 5