On 10.3.2015 16:55, Alexander Bokovoy wrote: > On Tue, 10 Mar 2015, Petr Spacek wrote: >> On 10.3.2015 16:01, Jakub Hrozek wrote: >>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: >>>> On 03/10/2015 03:27 PM, Rob Crittenden wrote: >>>>> Petr Vobornik wrote: >>>>>> Hi, >>>>>> >>>>>> I would like to ask what is a purpose of a default user group - by >>>>>> default ipausers? Default group is also a required field in ipa config. >>>>> >>>>> To be able to apply some (undefined) group policy to all users. I'm not >>>>> aware that it has ever been used for this. >>>> >>>> I would also interested in the use cases, especially given all the pain we >>>> have >>>> with ipausers and large user bases. Especially that for current policies >>>> (SUDO, >>>> HBAC, SELinux user policy), we always have other means to specify "all >>>> users". >>> >>> yes, but those means usually specify both AD and IPA users, right? >>> >>> I always thought "ipausers" is a handy shortcut for selecting IPA users >>> only and not AD users. >> >> I always thought that "ipausers" is an equivalent of "domain users" in AD >> world (compare with "Trusted domain users"). >> >> In my admin life I considered "domain users" to be useful alias for real >> authenticated user accounts (compare with "Everyone" = even unauthenticated >> access, "Authenticated users" = includes machine accounts too.) >> >> >> Moreover, getting rid of ipausers does not help with 'big groups problem' in >> any way. E.g. at university you are almost inevitably going to have groups >> like 'students' which will contain more than 90 % of users anyway. > For what use we need this distinction in IPA itself? > - ACI (permissions) have separate notion to describe > anonymous/any authenticated dichotomy > - HBAC has 'all' category for users which in HBAC context means all > authenticated users > > Where else we would need ipausers other than default POSIX group which > we are not using it for?
Ah, it is not a POSIX group? Too bad. I was using AD "domain users" for file permissions so POSIX group equivalent is what I had in mind. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code