On Thu, 2012-03-29 at 15:25 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Thu, 2012-03-29 at 11:27 -0400, Rob Crittenden wrote:
> >>> This patch is much better and covers my previous concerns. I just
> >> find
> >>> an issue with UPG. It is not created for non-posix users when UPGs
> >> are
> >>> enabled:
> >>>
> >>> # echo "Secret123" | ipa migrate-ds ldap://ldap.example.com
> >>> --with-compat --base-dn="dc=greyoak,dc=com"
> >>> -----------
> >>> migrate-ds:
> >>> -----------
> >>> Migrated:
> >>>     user: darcee_leeson, ayaz_kreiger, mnonposix, mollee_weisenberg
> >>>     group: ipagroup
> >>> Failed user:
> >>> Failed group:
> >>> ----------
> >>> Passwords have been migrated in pre-hashed format.
> >>> IPA is unable to generate Kerberos keys unless provided
> >>> with clear text passwords. All migrated users need to
> >>> login at https://your.domain/ipa/migration/ before they
> >>> can use their Kerberos accounts.
> >>>
> >>> # ipa user-show mnonposix
> >>>     User login: mnonposix
> >>>     First name: Mister
> >>>     Last name: Nonposix
> >>>     Home directory: /home/mnonposix
> >>>     Login shell: /bin/sh
> >>>     UID: 328000195
> >>>     GID: 328000195
> >>>     Org. Unit: Product Testing
> >>>     Job Title: Test User
> >>>     Account disabled: False
> >>>     Password: True
> >>>     Member of groups: ipausers
> >>>     Kerberos keys available: False
> >>>
> >>> # ipa group-show mnonposix
> >>> ipa: ERROR: mnonposix: group not found
> >>
> >> Yes, I was always disabling UPG. I now allow it when migrating a
> >> non-POSIX user.
> >
> > by this you mean you are now transforming a non-POSIX user into a POSIX
> > user ?
> >
> > What happen if someone has both POSIX and non-POSIX users on a server,
> > do you mix them ?
> 
> The existing POSIX users are migrated as-is, non-POSIX users become full 
> IPA users with UPG.
> 
> > I have the feeling we need an explicit flag to convert a non-POSIX user
> > ->  POSIX user, because that doesn't look to me like something people
> > want to do by default.
> 
> What makes you say that?

Well if I had non-POSIX users in my directory they would be some sort of
addressbook, and I certainly wouldn't want them converted into posix
users in freeipa.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to