Bug 1146822 - Capability to add local privileged groups to domain users or groups
Summary: Capability to add local privileged groups to domain users or groups
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 24
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Carlos O'Donell
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 1144010 1144561
TreeView+ depends on / blocked
Reported: 2014-09-26 07:31 UTC by Stef Walter
Modified: 2016-03-29 12:11 UTC (History)
21 users (show)

Fixed In Version: glibc-2.22.90-28.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-03-29 12:09:13 UTC
Type: Bug

Attachments (Terms of Use)

Description Stef Walter 2014-09-26 07:31:39 UTC
In Active Directory there is a 'Domain Administrators' group, which by default can administer any machine in the domain. We should make it trivial (or default) to map this so that such a group can escalate privileges to root in the same way wheel can.

Not sure what an IPA equivalent group would be, or if there is one.

SSO users logging into Cockpit can do nothing, since they cannot escalate to root no matter what domain group they're in.

Comment 1 Stef Walter 2014-09-26 14:50:09 UTC
We should be able to add domain users (and ideally entire domain groups) to local groups.

For example there should be a way to add a domain user to the docker group, or the wheel group, or the pegasus group, since access decisions are made based on these local groups.

Ideally we could add entire domain groups to local groups. Otherwise this would become tedious management problem across multiple machines.

Comment 2 Simo Sorce 2014-09-26 15:43:59 UTC
You can add domain users to /etc/group
To add entire groups there are only 2 solutions possible, both are a little invasive.
1. SSSD takes over managing 'files' and nsswitch always points to 'sss' first
2. SSSD writes out stuff to /etc/group as needed by unrolling groups in there

In both cases there is the question of where you configure this stuff.
In the windows case there is a whitelist of domain groups that are automatically added to builtin local domain groups by default at join.

Comment 3 Stef Walter 2014-09-26 16:04:22 UTC
Just noting here: "Allow nesting remote groups as a part of the local groups" is an upstream sssd ticket too.


Comment 4 Stef Walter 2014-09-30 14:12:15 UTC
Related proposal: https://sourceware.org/glibc/wiki/Proposals/GroupMerging

Comment 5 Stef Walter 2015-04-13 15:22:05 UTC
As noted above, this is sssd related work.

Comment 6 Fedora End Of Life 2015-11-04 09:54:10 UTC
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 7 Stephen Gallagher 2015-11-09 13:25:40 UTC
Moving this ticket to Rawhide. The changes necessary to fix this will be in glibc, which won't get added in a stable release. I'm hoping to land them in Fedora 24 (patches are under review now).

Comment 8 Jan Kurik 2016-02-24 15:45:31 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:

Comment 9 Mike McCune 2016-03-28 22:25:24 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Note You need to log in before you can comment on or make changes to this bug.