`admins` group instead of `domain admins`

I tried to play with cockpit for a nethserver-cockpit-delegation like, all users I add to the group domain admins have no administrative rights, only members of the group admins could be eventually granted to administrative tasks, see https://github.com/NethServer/nethserver-cockpit/blob/master/root/etc/nethserver/cockpit/authorization/roles.json#L2

After that even if you create a group admins the users belong to this group cannot be admin, you must create a sudoers file

probably a dirty hack

[root@ns7loc14 ~]# cat  /etc/sudoers.d/30_cockpit_admins
Cmnd_Alias ADMINS = /usr/libexec/nethserver/api/*/*,/sbin/e-smith/validate

%admins ALL=NOPASSWD: ADMINS

# server-manager does not require a tty
Defaults:%admins !requiretty

cc @giacomo @edoardo_spadoni

I understand what are you trying to do, but I can’t get what is the problem.

Is this related to Cockpit: admins group cannot list applications?

Obviously my interrogations comes from that the admin user is belong the group domain admins but in cockpit, the role is made for the group admins, moreover it miss the sudoers file for the group admins

Just to avoid future issues, I would prefer to be consistent

  • put the admin user to admins or create a role for the group domain admins
  • create a sudoers file for the admin group, same for domain admins if we create a role for it.
1 Like

I agree, I also don’t have a preference for “admins” vs “domain admins”.

What do you prefer?

/cc @dev_team

I am a lazzy developer, admins will lower the future headache in development … saying that, for backward compatibility, we should follow what we have.

1 Like

I’m not aligned with cockpit developments. I just want to say that the “admins” key has to be honored, according to

http://docs.nethserver.org/en/v7/accounts.html#admin-account

See also https://github.com/NethServer/nethserver-sssd/commits/master/root/etc/e-smith/db/configuration/defaults/admins

1 Like