On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
> In MIT land, one can potentially have multiple instances tied (by
> convention) to a given user (that is, that administratively one knows
> are the same set of eyeballs).  For example, I might have my normal
> user (hile), and I might have another distinct MIT principal
> hile/admin used when I’m doing administrative work in the kerb
> database, or potentially yet another hile/vpn for remote access.  Only
> the first of these is a ‘real’ user that needs to have a uid, gid,
> home directory, and shell; the others are just Kerberos principals
> that might have differing password policies applied to them.  In
> FreeIPA, it appears all kerberos principals are tied to a user (or to
> a host in the case of host/ or another service definition). Is it
> possible to define a non-posix user?  There is no good reason for
> hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never
> login directly using that principal.

Early on when we created FreeIPA we decided against providing
alternative principals for the same user as it made things a lot more
complex for little gain. To this day we still do not support them.

Keep in mind that adding a principal is not the whole story, once you do
that  then you probably still want to associate it to some user, and
assign privileges and allow alternative principal names to ssh into some
machines, which means distributing k5login files or providing explicit
support in the new aname2lname plugin.

To do all this means adding new objects and configuration facilities to
handle these special non-users, we haven't yet found enough benefit in
adding support for these to warrant the work involved.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to