Bug 1146822

Summary: Capability to add local privileged groups to domain users or groups
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: glibcAssignee: Carlos O'Donell <codonell>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: high    
Version: 24CC: abokovoy, arjun.is, codonell, dpal, fweimer, jakub, jhrozek, law, lslebodn, mfabian, mvollmer, pbrezina, pfrankli, preichl, pspacek, sbose, sgallagh, siddhesh, ssorce, stefw, yelley
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glibc-2.22.90-28.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-29 12:09:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1144010, 1144561    

Description Stef Walter 2014-09-26 07:31:39 UTC 
In Active Directory there is a 'Domain Administrators' group, which by default can administer any machine in the domain. We should make it trivial (or default) to map this so that such a group can escalate privileges to root in the same way wheel can.

Not sure what an IPA equivalent group would be, or if there is one.

SSO users logging into Cockpit can do nothing, since they cannot escalate to root no matter what domain group they're in.
Comment 1 Stef Walter 2014-09-26 14:50:09 UTC 
We should be able to add domain users (and ideally entire domain groups) to local groups.

For example there should be a way to add a domain user to the docker group, or the wheel group, or the pegasus group, since access decisions are made based on these local groups.

Ideally we could add entire domain groups to local groups. Otherwise this would become tedious management problem across multiple machines.
Comment 2 Simo Sorce 2014-09-26 15:43:59 UTC 
You can add domain users to /etc/group
To add entire groups there are only 2 solutions possible, both are a little invasive.
1. SSSD takes over managing 'files' and nsswitch always points to 'sss' first
2. SSSD writes out stuff to /etc/group as needed by unrolling groups in there

In both cases there is the question of where you configure this stuff.
In the windows case there is a whitelist of domain groups that are automatically added to builtin local domain groups by default at join.
Comment 3 Stef Walter 2014-09-26 16:04:22 UTC 
Just noting here: "Allow nesting remote groups as a part of the local groups" is an upstream sssd ticket too.

https://fedorahosted.org/sssd/ticket/1591
Comment 4 Stef Walter 2014-09-30 14:12:15 UTC 
Related proposal: https://sourceware.org/glibc/wiki/Proposals/GroupMerging
Comment 5 Stef Walter 2015-04-13 15:22:05 UTC 
As noted above, this is sssd related work.
Comment 6 Fedora End Of Life 2015-11-04 09:54:10 UTC 
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 7 Stephen Gallagher 2015-11-09 13:25:40 UTC 
Moving this ticket to Rawhide. The changes necessary to fix this will be in glibc, which won't get added in a stable release. I'm hoping to land them in Fedora 24 (patches are under review now).
Comment 8 Jan Kurik 2016-02-24 15:45:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 9 Mike McCune 2016-03-28 22:25:24 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions