> Well, the users are definitely going to be in IPA (or AD via IPA).  However,
> they *will* exist in both IPA and locally during the migration period.  If 
> they
> have the same UID/GIDs in both places (local and IPA), then I will need to
> prefer IPA to 'files' in nsswitch.conf.  The main reason I want to duplicate 
> the
> local UID/GID's in IPA is to retain file permissions.

The initial state and final state of your domain is identical to the initial 
and final states of each individual machine. The transition period is composed 
of some machines being migrated and some machines not migrated yet. Those which 
are not migrated yet have the users in /etc/passwd and have no knowledge of 
ipa. Those which are migrated should get users from ipa and the duplicate users 
purged out of /etc/passwd. Setting up a machine with ipa and forgetting to 
delete the users out of /etc/passwd is probably asking for trouble.

This is a separate problem from keeping UIDs the same or not. If you've got NFS 
set up, you need to either simultaneously migrate all the machines which share 
files, or you need to keep UIDs/GIDs the same so you can migrate individual 
machines at your leisure. Separately, you need to tradeoff how much work it is 
to configure FreeIPA to just continue with your current scheme (set it up to 
allocate UIDs picking up where you left off) vs. "find and chown" files on all 
your machines as part of the migration process. If neither option sounds 
attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA 
block of UIDs separate from the block of UIDs FreeIPA uses after it takes over.


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to