Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the client sees that. Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that?
You can specify the GID when you create user groups in freeIPA. In the GUI it's very clear (Group name[required], Description, Group Type, GID). CLI it's something like # ipa group-add <group name> --gid=<GID>
On Wed, Oct 23, 2019 at 3:12 PM Jason Dunham via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the client sees that. Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Oh yes, it's clear, but I just don't know if I'm setting myself up for problems if I set a freeipa gid or uid to a value that already existed on the host before it was turned into a freeipa client. That's already a problem with my users since they have different uids on the hosts if they were useradd-ed in a different order. However I'm sure that if I just change uids in the /etc/passwd file to match freeipa then all the existing file ownerships will be messed up.
I was hoping there is a standard way to deal with this and that I just didn't find the right page in the docs.
On Wed, Oct 23, 2019 at 2:37 PM John Duino jduino@oblong.com wrote:
You can specify the GID when you create user groups in freeIPA. In the GUI it's very clear (Group name[required], Description, Group Type, GID). CLI it's something like # ipa group-add <group name> --gid=<GID>
On Wed, Oct 23, 2019 at 3:12 PM Jason Dunham via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the client sees that. Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Assuming it's fairly chaotic across your systems. You may just need to brute-force it. Before adding to IPA, you'll just need to map oldGID->newGID, then do something like find/exec/chown. You can do the same with groups. If you want to get fancier, have the script do the mapping.
On Wed, Oct 23, 2019 at 8:14 PM Jason Dunham jwdunham@gmail.com wrote:
Oh yes, it's clear, but I just don't know if I'm setting myself up for problems if I set a freeipa gid or uid to a value that already existed on the host before it was turned into a freeipa client. That's already a problem with my users since they have different uids on the hosts if they were useradd-ed in a different order. However I'm sure that if I just change uids in the /etc/passwd file to match freeipa then all the existing file ownerships will be messed up.
I was hoping there is a standard way to deal with this and that I just didn't find the right page in the docs.
On Wed, Oct 23, 2019 at 2:37 PM John Duino jduino@oblong.com wrote:
You can specify the GID when you create user groups in freeIPA. In the GUI it's very clear (Group name[required], Description, Group Type, GID). CLI it's something like # ipa group-add <group name> --gid=<GID>
On Wed, Oct 23, 2019 at 3:12 PM Jason Dunham via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the client sees that. Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I strongly recommend reading this article: https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run...
And based on it, I would a) reconsider if using sudo is not a better idea, b) recommend, if possible, to create the docker group locally and add users explicitly on the specific machines.
I would fallback to a global docker group that basically gives root to any user on any machine with docker installed they have access to only as a least resort.
Simo.
On Wed, 2019-10-23 at 19:07 +0000, Jason Dunham via FreeIPA-users wrote:
Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the client sees that. Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org