On la, 13 maalis 2021, lejeczek via FreeIPA-users wrote:
On 13/03/2021 08:23, Alexander Bokovoy wrote:
On Пт, 12 мар 2021, lejeczek via FreeIPA-users wrote:
Hi guys.
When integrating Samba with 'ipa-adtrust-install' the process
asks:
Do you want to run the ipa-sidgen task?
I wonder why that is optional?
Every subsequent run 'ipa-adtrust-install' or when repeated on
other masters does not pause with that question.
If you have a lot of entries, running this task will take a lot of
resources. It is better to have this done at the moment where you
have
planned it to be done, may be on the replica you designed it to do
on.
Thanks. It's business logic of the whole thing which puzzles me a bit
- are SIDs (and all that 'ipa-sidgen' does) not absolutely essential
for Samba(and the rest) to work?
SIDs are essential for SMB protocol and MS-PAC extensions of Kerberos
tickets.
We decided to make sure system administrators give explicit concent for
a potentially disrupting sidgen task. In busy massive deployments it
matters more than denying access to services which aren't deployed yet.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
