Hi all,
I’d like to know if ther’s a way to assign a local group to an user authenticated by sssd.
Thank you
Do mean something like:
usermod -a -G groupname username
Thank you for your quick reply.
That is a solution but I wonder if ther’s a way to map automatically an A/D group to a local group.
The question is now different from what you actually asked. You asked about putting an AD user into a local group. The solution is above. Now you’re asking if you can “map” groups, which the answer is no.
What exactly are you trying to do that you would need to map an AD group to a local group? Trying to do this would be a hack at best and trying to add an AD group to a local group is not supported as /etc/group does not support nesting.
nsswitch.conf might be what you are looking for, the merge option.
group: files [SUCCESS=merge] sss
The above entry in nsswitch.conf merges local group members with AD group members, if the groups have the same name and GID.
Not entirely sure if it works with SSSD though.
BTW, you only need to merge if there are local users that also have to be members of the group. If you only need SSSD/AD users in the group, you don’t need the local group, SSSD will present the AD group as a local group.
Yes, you’re right. Perhaps I didn’t explain it thoroughly.
Here is the case:
- linux server joined to a realm with sssd access based on A/D group (suppose WINGRP).
- network shared folder (NFS) with specific rw permissions, where local group (suppose LINUXGRP) has write permissions.
Our goal is to allow logged users access shared folder and create files with LINUXGRP permissions.
NFS and groups is a “peculiar” thing. The old way was that client did send uid and list of gid’s to server to check whether the process can access a file. There was an issue: the list could have at most 16 gid’s. If the account was member in more than 16, the rest were not delivered to server, so access by those groups was not possible.
A workaround did appear, where only the uid is sent to server and server enumerates the memberships (usually from LDAP). The account in the client does not need to be member of group since state in server is what counts.
However, that would not help in this case – only move issue from client to NFS server – and would confuse users.
So I take it there are no solutions.
(Disclaimer: have never used AD, so my “solution” would be to not use AD. That is obviously not an option.)
If authentication and authorization are governed by AD, then the file share should also use it. Perhaps Samba, if the server cannot map AD → POSIX for NFS? (NFS can use Kerberos for authentication, so could tickets from AD convey the membership to server?)
I assume you have tried adding a SSSD/AD user to LINUXGRP? I haven’t used SSSD with NFS but it seems like there’s some support for it with the package sssd-nfs-idmap.