On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > In MIT land, one can potentially have multiple instances tied (by > convention) to a given user (that is, that administratively one knows > are the same set of eyeballs). For example, I might have my normal > user (hile), and I might have another distinct MIT principal > hile/admin used when I’m doing administrative work in the kerb > database, or potentially yet another hile/vpn for remote access. Only > the first of these is a ‘real’ user that needs to have a uid, gid, > home directory, and shell; the others are just Kerberos principals > that might have differing password policies applied to them. In > FreeIPA, it appears all kerberos principals are tied to a user (or to > a host in the case of host/ or another service definition). Is it > possible to define a non-posix user? There is no good reason for > hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never > login directly using that principal.
Early on when we created FreeIPA we decided against providing alternative principals for the same user as it made things a lot more complex for little gain. To this day we still do not support them. Keep in mind that adding a principal is not the whole story, once you do that then you probably still want to associate it to some user, and assign privileges and allow alternative principal names to ssh into some machines, which means distributing k5login files or providing explicit support in the new aname2lname plugin. To do all this means adding new objects and configuration facilities to handle these special non-users, we haven't yet found enough benefit in adding support for these to warrant the work involved. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project