On 04/07/2015 10:22 AM, Simo Sorce wrote:
On Tue, 2015-04-07 at 14:16 +0000, coy.h...@coyhile.com wrote:
Quoting Simo Sorce <s...@redhat.com>

On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
In MIT land, one can potentially have multiple instances tied (by
convention) to a given user (that is, that administratively one knows
are the same set of eyeballs).  For example, I might have my normal
user (hile), and I might have another distinct MIT principal
hile/admin used when I’m doing administrative work in the kerb
database, or potentially yet another hile/vpn for remote access.  Only
the first of these is a ‘real’ user that needs to have a uid, gid,
home directory, and shell; the others are just Kerberos principals
that might have differing password policies applied to them.  In
FreeIPA, it appears all kerberos principals are tied to a user (or to
a host in the case of host/ or another service definition). Is it
possible to define a non-posix user?  There is no good reason for
hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never
login directly using that principal.
Early on when we created FreeIPA we decided against providing
alternative principals for the same user as it made things a lot more
complex for little gain. To this day we still do not support them.

Keep in mind that adding a principal is not the whole story, once you do
that  then you probably still want to associate it to some user, and
assign privileges and allow alternative principal names to ssh into some
machines, which means distributing k5login files or providing explicit
support in the new aname2lname plugin.

To do all this means adding new objects and configuration facilities to
handle these special non-users, we haven't yet found enough benefit in
adding support for these to warrant the work involved.


Simo Sorce * Red Hat, Inc * New York

I guess that makes sense. Is it possible to add a user that simply
doesn't have the posix attributes  defined? In the particular case of
*/admin, I would expect that user to login to the ipa ui or to be
kinit'd to prior to running ipa administrative commands, but I should
hope that it should never login directly.

Does that question make more sense?
It does, but we do not have such a feature, sorry.


Would setting shell to NULL help?
What do you want to prevent? SSH logins? You can have host based access control rules for that. May be a better explanation of why you need this user to not have posix would be beneficial. You can have posix users and still prevent them from logging where they should not be able to log in.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to