I have multiple virtualized servers, all configured to use LDAP for their passwd/shadow (in nsswitch.conf) and authentication (PAM).
I would like to have an easily configurable set of users who will be able to read logs on any of the servers. This means they need to be a member of a distro-specific supplementery group (eg. systemd-journal on systemd based distros, adm on Debian, etc.).
One idea I had was to make a netgroup in LDAP called eg. log-reading-users which would represent the set of users. I configured nsswitch.conf to get netgroups from LDAP.
Then I tried adding them to the groups in /etc/group like this:
adm:x:4:+@log-reading-users
But it didn't work.
Then I tried using /etc/security/group.conf:
# group.conf
*;*;@log-reading-users;Al0000-24000;adm
And adding at the end of /etc/pam.d/common-auth:
auth optional pam_group.so
It did work for ssh, login, and su with password, but when using sudo, su from root without password, or when cron is running user's crontab entry, the supplementary group IDs are not being added.
Is there a better way to do this?
Maybe something with initgroups in nsswitch.conf ?
