In Active Directory there is a 'Domain Administrators' group, which by default can administer any machine in the domain. We should make it trivial (or default) to map this so that such a group can escalate privileges to root in the same way wheel can. Not sure what an IPA equivalent group would be, or if there is one. SSO users logging into Cockpit can do nothing, since they cannot escalate to root no matter what domain group they're in.
We should be able to add domain users (and ideally entire domain groups) to local groups. For example there should be a way to add a domain user to the docker group, or the wheel group, or the pegasus group, since access decisions are made based on these local groups. Ideally we could add entire domain groups to local groups. Otherwise this would become tedious management problem across multiple machines.
You can add domain users to /etc/group To add entire groups there are only 2 solutions possible, both are a little invasive. 1. SSSD takes over managing 'files' and nsswitch always points to 'sss' first 2. SSSD writes out stuff to /etc/group as needed by unrolling groups in there In both cases there is the question of where you configure this stuff. In the windows case there is a whitelist of domain groups that are automatically added to builtin local domain groups by default at join.
Just noting here: "Allow nesting remote groups as a part of the local groups" is an upstream sssd ticket too. https://fedorahosted.org/sssd/ticket/1591
Related proposal: https://sourceware.org/glibc/wiki/Proposals/GroupMerging
As noted above, this is sssd related work.
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Moving this ticket to Rawhide. The changes necessary to fix this will be in glibc, which won't get added in a stable release. I'm hoping to land them in Fedora 24 (patches are under review now).
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions