On 07/31/2014 04:45 PM, Baird, Josh wrote:
I want to add that IPA is working on the concept of views. This means
that once it is implemented you would be able to have UID/GID in IPA and
users in AD.
I wouldn't recommend duplicating your users, pick one and use that. If you
want to be able to manage your users, groups, HBAC, sudo, etc.
centrally then you'll want the users in IPA. But if you leave them locally you
may end up with corner case problems.
If you *do* end up adding your local users to IPA then yeah, you've got a
decision to make. Either your use the existing UID/GID which is probably fine
(though you may want to look adding a local range) or you let IPA assign a
new UID from its own range, then you have to quickly change file ownership
on all enrolled systems.
Well, the users are definitely going to be in IPA (or AD via IPA). However,
they *will* exist in both IPA and locally during the migration period. If they
have the same UID/GIDs in both places (local and IPA), then I will need to
prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate
the local UID/GID's in IPA is to retain file permissions.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project