> You *could* build a system that can work w/o synchronization, if you
> carefully restrict what protocols and applications you use (think about
> distributed filesystems) although you'd still need a local persistent map at
> least. Backups and restore to other machines would need to be done
> carefully though, and so on.
I'm not suggesting that POSIX machines stop using UIDs internally. The local
persistent map to a machine dependent representation will be necessary. It will
also be necessary on Windows machines. And on mobile platforms. And within web
applications. The shared items (principal names) would be common to all OSes
and platforms though.
People trying to create heterogeneous environments are already carefully
restricting protocols and applications to those which don't require sharing a
UID map. File sharing via: Samba/CIFS, NFSv4, WebDAV, sftp (and
sshfs(linux)/swish(Windows)). Logging into multiple machines has never involved
knowing your UID, and ssh key pairs makes it more or less effortless to execute
commands on another machine whether or not your username is the same, much less
your UID. Kerberos SSO is more or less the same, but ensures that a common set
of identities are recognized.
Ideally, if realm admins delegate authorization to the individual machines, the
machines (regardless of OS) should be capable of functioning with only Kerberos
authentication and without any centralized directory services. Minimal
directory services could add group definitions via LDAP. A full AD/IPA solution
would be needed to centralize authorization and/or enforce policy. Yet I still
am not seeing the requirement for new deployments of cross-platform
environments to manage internal user representations for a single os.
> However there are also issues with operations like 'renames', what happen
> when you change a user name or a group name ? You do not want to lose
> access to files when that happen, so you still need a unique identifier that
> not the everyday name (or forbid renames).
Presumably, you also would not want your Windows users to lose access to files
after a rename, and Windows doesn't use UIDs. You also would not want to lose
access to web apps, which do not use UIDs. You also don't want stale usernames
to be sitting in access control lists (filesystem based or web app based).
Retaining UIDs does nothing to make renaming more acceptable, because principal
names are a realm-wide platform independent property, and UIDs are not.
> This is not an exhaustive list of course, and every problem can be probably
> worked around one way or another, however at the moment it is till "easier"
> to synchronize IDs than not ...
As I see it, for a cross-platform environment, every problem must be worked
around regardless of whether you have to synchronize UIDs. Managing UIDs is
just more work at the end, and it might be busywork. Determining whether it's
busywork or not may make a good thesis topic. :)
It makes a good thesis topic because the central question is paradigm shifting:
Draw a line between realm-wide properties and local machine representations of
those properties, and ask "Can each machine be made responsible for performing
their own localizations for internal bookkeeping purposes?" This would seem to
be of particular interest to the type of crowd which would download and use a
FreeIPA/sssd solution, but it may not be something they have the time to pursue.
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
Freeipa-users mailing list