On Tue, 2015-04-07 at 14:16 +0000, coy.h...@coyhile.com wrote:
> Quoting Simo Sorce <s...@redhat.com>
> > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
> >> In MIT land, one can potentially have multiple instances tied (by
> >> convention) to a given user (that is, that administratively one knows
> >> are the same set of eyeballs).  For example, I might have my normal
> >> user (hile), and I might have another distinct MIT principal
> >> hile/admin used when I’m doing administrative work in the kerb
> >> database, or potentially yet another hile/vpn for remote access.  Only
> >> the first of these is a ‘real’ user that needs to have a uid, gid,
> >> home directory, and shell; the others are just Kerberos principals
> >> that might have differing password policies applied to them.  In
> >> FreeIPA, it appears all kerberos principals are tied to a user (or to
> >> a host in the case of host/ or another service definition). Is it
> >> possible to define a non-posix user?  There is no good reason for
> >> hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never
> >> login directly using that principal.
> >
> > Early on when we created FreeIPA we decided against providing
> > alternative principals for the same user as it made things a lot more
> > complex for little gain. To this day we still do not support them.
> >
> > Keep in mind that adding a principal is not the whole story, once you do
> > that  then you probably still want to associate it to some user, and
> > assign privileges and allow alternative principal names to ssh into some
> > machines, which means distributing k5login files or providing explicit
> > support in the new aname2lname plugin.
> >
> > To do all this means adding new objects and configuration facilities to
> > handle these special non-users, we haven't yet found enough benefit in
> > adding support for these to warrant the work involved.
> >
> > Simo.
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
> I guess that makes sense. Is it possible to add a user that simply  
> doesn't have the posix attributes  defined? In the particular case of  
> */admin, I would expect that user to login to the ipa ui or to be  
> kinit'd to prior to running ipa administrative commands, but I should  
> hope that it should never login directly. 
> Does that question make more sense? 

It does, but we do not have such a feature, sorry.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to