On Mi, 28.05.25 09:43, Alexander Bokovoy (aboko...@redhat.com) wrote: > On Аўт, 27 мая 2025, Lennart Poettering wrote: > > On Di, 27.05.25 14:32, Neal Gompa (ngomp...@gmail.com) wrote: > > > > > The usage of the systemd user management suite has been discussed many > > > times over the past several years. Unfortunately, it has been designed > > > in such a way that it is impossible to square with central login > > > services (like AD/IPA/krb5 logins). > > > > systemd-userdbd and systemd-homed are two distinct things. Do not mix > > them up. > > > > samba merged supprt for the former 3 months ago: > > > > https://gitlab.com/samba-team/samba/-/merge_requests/2928 > > We currently do not plan to use that in real deployments, though. There > are few issues with userdb API implementation. For example, there is an > assumption only one responder knows the information about the account > being requested. In real deployments we have to do group membership > merges across multiple nss backends. userdb right now fails to provide a > complete group membership for FreeIPA users, for example. This is not > unique to FreeIPA, though, it would do the same for any non-static > backend in a default configuration.
That's a misunderstanding. userdb user/group memberships are implemented via the GetMemberships() IPC call, and *of* *course* it's assumed that multiple backends provide these, and the results of all backends are combined. After all, it's pretty much the default case that a regular user for example managed by homed, is part of a system-specific group (such as "wheel") which is managed via /etc/passwd. In fact, it's even possible to put together a userdb backend that doesn't provide any user or group records, but does provide membership relationships for users of other backends. When doing NSS emulation nss-systemd understands this: when returning a group record it will combine a specific userdb group record from one backend with the results of a matching GetMemberships() of *all* backends and return that as one "struct group" NSS record. Or in other words: .gr_name, .gr_passwd, .gr_gid are initialized from the group record JSON object, but .gr_mem is initialized from the combination of the results of all GetMemberships() IPC calls. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
