Quoting Simo Sorce <s...@redhat.com>

On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
In MIT land, one can potentially have multiple instances tied (by
convention) to a given user (that is, that administratively one knows
are the same set of eyeballs).  For example, I might have my normal
user (hile), and I might have another distinct MIT principal
hile/admin used when I’m doing administrative work in the kerb
database, or potentially yet another hile/vpn for remote access.  Only
the first of these is a ‘real’ user that needs to have a uid, gid,
home directory, and shell; the others are just Kerberos principals
that might have differing password policies applied to them.  In
FreeIPA, it appears all kerberos principals are tied to a user (or to
a host in the case of host/ or another service definition). Is it
possible to define a non-posix user?  There is no good reason for
hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never
login directly using that principal.

Early on when we created FreeIPA we decided against providing
alternative principals for the same user as it made things a lot more
complex for little gain. To this day we still do not support them.

Keep in mind that adding a principal is not the whole story, once you do
that  then you probably still want to associate it to some user, and
assign privileges and allow alternative principal names to ssh into some
machines, which means distributing k5login files or providing explicit
support in the new aname2lname plugin.

To do all this means adding new objects and configuration facilities to
handle these special non-users, we haven't yet found enough benefit in
adding support for these to warrant the work involved.


Simo Sorce * Red Hat, Inc * New York

I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes  defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I should hope that it should never login directly. 

Does that question make more sense? 

Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone

-------- Original message --------
From: Simo Sorce <s...@redhat.com>
Date:04/07/2015  08:52  (GMT-05:00)
To: coy.h...@coyhile.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating arbitrary users?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to