On Thu, 2012-01-05 at 16:20 -0500, Sylvain Angers wrote: > Hello > > > We have a mixed environment of AIX, and linux servers > All our user accounts are still set locally - no NIS, and we do not > have unique uid/gid toward our hosts!!! > I am evaluating the possibility of using Redhat Identity management in > our environment > I have to figure out what AIX will be able to support - we would at > least want to be able to limit who could access what on aix > so if you have dealt with AIX, let me knows > > > but here my main question > > > My question is how do I deal with our current local users? > When user DAVE get freeipa id 10000000567, do you have to chown every > files he has on a local machine while he might has uid/gid 501 ?
Are your usernames aligned ? If so you can do the migration in steps. Start with creating a FreeIPA server with all your users named the same as what you are currently using on your machines. Also if you have a mojority of machines that use the same name<->uid mapping you may think of forcing the same name<->uid mapping in freeipa, but unless you ahev a substantial number of machines that agree on all uid then it is probably much better to have a clean break against all machine so that you are not tricked on machines where only a susbset matches. Once you have the server up you can start unifying just the authentication part by enabling kerberos authentication for your local users on the AIX machine but still using the local accounts for uid/gid purposes. Once login is unified on kerberos you can go and convert one machine at a time to use ldap instead of local file and perform the necessary uid changes on file acls. For groups I'd be more careful, the problem there is that if you have different groupings on different machines just assuming groups are the same because they have the same name may open up security issues. One way to handle that would be to deprecate all old groups and create new groups in freeipa with names that do not match any of the local groups you currently have, then determine a policy to reassign within the next year group permissions on files slowly phasing out local groups. > I guess we will have to byte the bullet and have a unique id for every > users - right? In the long term yes, but above I gave you a way to at least have a migration that you can handle over a period of time instead of having to change all your machines in one night. > Is there a simple migration plan from local to freeipa? UID/GID migrations unfortunately are never simple. I have been involved with this issues for years and there are no magic bullets, but there are ways to mitigate the impact of a migration so that it becomes manageable at least. One more piece of advice, verify if you are using NFS anywhere, because each machine connected to a NFS server becomes part of a "virtual cluster" that needs to either be broken or converted all at the same time, making migrations suddenly a bit more difficult. > do we have to migrate an account at the time do an account at the > time, so if account doe not exist locally, it will check remote? This depdends very much on how AIX manages to discover users. On linux depending on the nsswitch.conf order of database a local user can prevail on a remote one, but I do not recall how that works with AIX, which uses LAM modules (IIRC). > I am missing the big picture HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
