On Fri, 2014-04-18 at 13:39 +0200, Sumit Bose wrote: > Hi Simo, > > Thank you for the comments. So it looks like supporting legacy setups > where a single user has different POSIX IDs on different servers is a > use case we want to support. It's fine by me, nevertheless I think it is > bad admin practice to keep this kind of setups running and do a proper > migration.
Much, *much* easier said than done. I have been in this situation with customers before, once you have enough machines cross-sharing disks over NFS, it is almost impossible to do without taking the whole set offline for days or weeks. > > Clearly this and administration mistake, and not something we should try > > to address. > > > > Use different groups for HBAC and UID views, period. > > If you really think it should be done this way we should make them > different group types like hbac_hostgroups and view_hostsgroups (do we > need sudo_hostgroups as well :-?). No, we shouldn't :) > Seriously, I think the purpose of the > hostgroups is to collect hosts with the same profile to allow easy > management so that when a new host with the same profile is created it > has to be put in only one group and automatically get the right HBAC and > sudo rules, the right view etc. Sure, but you will need additional groups if your HBAC access profile and your views profiles do not match. I think in practice hosts using different views will be isolated islands and the chance you want to reuse the hostgroup that define the view for HBAC and that the 2 sets of groups is not an identity or HABC is a subset of the view group will be negligible. I am confident admins understand how to deal with these cases. > > > I think the best way to solve this is to say that in all views the UID > > > will be the same. > > > > Absolutely not, it would completely defeat the point of having views. > > > > > If the override UID is set the AD user will get this > > > UID. If the override UID is not set then it depends on the AD settings. > > > > This is correct. > > > > > If a UID is set in AD the user will get this one from AD if not he will > > > have none at all, which is fine for the web apps use-case. > > > > If there is none and SSSD does automatic mapping, then that's what SSSD > > will set. > > As mentioned before we decided some time ago to not mix manual and > automatically (algorithmic) mapping for the same domain. If we wanr to > change this it might result in additional effort on the SSSD side. But > as said before I do not see a problem to support user without POSIX IDs. See my reply to dimitri, the solution needs to be tackled on the IPA server not in SSSD for this, IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel