Have a strange use case - this may be a mostly sssd.conf config question I think ...

I've got a high performance computing grid running in AWS. The front-end and user login nodes are managed IPA clients and things are working well even for the complex AD topology we have with lots of child-domains and transitive trusts to cross. I can login as "u...@nafta.company.com" just fine ...

What I'm trying to do is avoid having to make the HPC compute nodes into IPA clients because I expect them to auto-scale up and down in reaction to job load and I don't want to hammer my IPA server into submission, nor do I want to swamp the poor replication threads as they try to replicate all that info across the IPA server fleet.

I thought I could be clever ands scrape the IPA-provided UID and GID values and use those numbers to create local account entries on the remote compute node fleet. The login/master nodes would be "IPA integrated" while the compute nodes would have skeletal /etc/passwd and /etc/group files populated with data I stole from IPA...

However it turns out Linux really hates usernames with "@" in them and refuses to let me make accounts. So I can't recreate "u...@nafta.company.com" on my remote compute fleet. The presence of the "@" symbol in my user ID simply breaks on any host that is not an IPA client.

And it turns out even Grid Engine commands won't run with "@" in the active user name so core HPC binaries like "qrsh" and "qlogin" are busted.

So I'm in a bit of a catch-22 situation:

- I want to avoid using IPA on my elastic compute fleet if possible to avoid thrashing the IPA masters and replication - However I can't fake local user accounts with matching UID/GID values on the fleet because Linux hates the "@" character in usernames

This may be a dumb sssd.conf question but is there a way that I can configure sssd.conf on my IPA clients to utterly and totally strip out the long domain name from the user?

I want to map:



.. just on my IPA enrolled HPC edge nodes I don't care if they have to *login* using the fully qualified AD domain (that may be best anyway) but I want the local OS to just use the short username if at all possible.

If I can get the IPA_enrolled login node to use pure short names than I can fake those short names across the HPC cluster and I think things will be sorted ...

Hope this makes sense! Any tips or hints appreciated. If I can't sort this out quickly I'm probably just going to bite the bullet and script in IPA-enroll, re-enroll and un-enroll actions into my auto-scaling stuff. I really want to avoid that if at all possible.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to