On Tue, 2015-04-07 at 14:16 +0000, [email protected] wrote: > Quoting Simo Sorce <[email protected]> > > > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > >> In MIT land, one can potentially have multiple instances tied (by > >> convention) to a given user (that is, that administratively one knows > >> are the same set of eyeballs). For example, I might have my normal > >> user (hile), and I might have another distinct MIT principal > >> hile/admin used when I’m doing administrative work in the kerb > >> database, or potentially yet another hile/vpn for remote access. Only > >> the first of these is a ‘real’ user that needs to have a uid, gid, > >> home directory, and shell; the others are just Kerberos principals > >> that might have differing password policies applied to them. In > >> FreeIPA, it appears all kerberos principals are tied to a user (or to > >> a host in the case of host/ or another service definition). Is it > >> possible to define a non-posix user? There is no good reason for > >> hile/[email protected] to have a uidNumber or gidNumber; one should never > >> login directly using that principal. > > > > Early on when we created FreeIPA we decided against providing > > alternative principals for the same user as it made things a lot more > > complex for little gain. To this day we still do not support them. > > > > Keep in mind that adding a principal is not the whole story, once you do > > that then you probably still want to associate it to some user, and > > assign privileges and allow alternative principal names to ssh into some > > machines, which means distributing k5login files or providing explicit > > support in the new aname2lname plugin. > > > > To do all this means adding new objects and configuration facilities to > > handle these special non-users, we haven't yet found enough benefit in > > adding support for these to warrant the work involved. > > > > Simo. > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > I guess that makes sense. Is it possible to add a user that simply > doesn't have the posix attributes defined? In the particular case of > */admin, I would expect that user to login to the ipa ui or to be > kinit'd to prior to running ipa administrative commands, but I should > hope that it should never login directly. > > Does that question make more sense?
It does, but we do not have such a feature, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
