> You *could* build a system that can work w/o synchronization, if you
> carefully restrict what protocols and applications you use (think about
> distributed filesystems) although you'd still need a local persistent map at
> least. Backups and restore to other machines would need to be done
> carefully though, and so on.

I'm not suggesting that POSIX machines stop using UIDs internally. The local 
persistent map to a machine dependent representation will be necessary. It will 
also be necessary on Windows machines. And on mobile platforms. And within web 
applications. The shared items (principal names) would be common to all OSes 
and platforms though.

People trying to create heterogeneous environments are already carefully 
restricting protocols and applications to those which don't require sharing a 
UID map. File sharing via: Samba/CIFS, NFSv4, WebDAV, sftp (and 
sshfs(linux)/swish(Windows)). Logging into multiple machines has never involved 
knowing your UID, and ssh key pairs makes it more or less effortless to execute 
commands on another machine whether or not your username is the same, much less 
your UID. Kerberos SSO is more or less the same, but ensures that a common set 
of identities are recognized.

Ideally, if realm admins delegate authorization to the individual machines, the 
machines (regardless of OS) should be capable of functioning with only Kerberos 
authentication and without any centralized directory services. Minimal 
directory services could add group definitions via LDAP. A full AD/IPA solution 
would be needed to centralize authorization and/or enforce policy. Yet I still 
am not seeing the requirement for new deployments of cross-platform 
environments to manage internal user representations for a single os.

> However there are also issues with operations like 'renames', what happen
> when you change a user name or a group name ? You do not want to lose
> access to files when that happen, so you still need a unique identifier that 
> is
> not the everyday name (or forbid renames).

Presumably, you also would not want your Windows users to lose access to files 
after a rename, and Windows doesn't use UIDs. You also would not want to lose 
access to web apps, which do not use UIDs. You also don't want stale usernames 
to be sitting in access control lists (filesystem based or web app based). 
Retaining UIDs does nothing to make renaming more acceptable, because principal 
names are a realm-wide platform independent property, and UIDs are not.

> This is not an exhaustive list of course, and every problem can be probably
> worked around one way or another, however at the moment it is till "easier"
> to synchronize IDs than not ...

As I see it, for a cross-platform environment, every problem must be worked 
around regardless of whether you have to synchronize UIDs. Managing UIDs is 
just more work at the end, and it might be busywork. Determining whether it's 
busywork or not may make a good thesis topic. :)

It makes a good thesis topic because the central question is paradigm shifting: 
Draw a line between realm-wide properties and local machine representations of 
those properties, and ask "Can each machine be made responsible for performing 
their own localizations for internal bookkeeping purposes?" This would seem to 
be of particular interest to the type of crowd which would download and use a 
FreeIPA/sssd solution, but it may not be something they have the time to pursue.


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Freeipa-users mailing list

Reply via email to