Hi Alex, Just because I gave up doesn't mean there isn't a way. Does your partitioning of local/domain users allow a domain user to run a service on a machine? I was trying to run an iPython notebook server as my regular user/domain account via systemd. Much of the data that the service needed access to resided on a multi-Terabyte NFS share, hence the desire to make it work with my domain account. IIRC, systemd was the thing choking on the domain user.
Do you just manually create a local user with the same attributes as the domain user? (and in the case of the above use NFS with sec=host)? Thanks, Bryce > -----Original Message----- > From: Alexander Frolushkin [mailto:[email protected]] > Sent: Sunday, April 12, 2015 9:27 PM > To: Nordgren, Bryce L -FS; 'Martin Kosek'; [email protected] > Subject: RE: [Freeipa-users] user account without password > > -----Original Message----- > From: Nordgren, Bryce L -FS [mailto:[email protected]] > Sent: Friday, April 10, 2015 9:27 PM > To: Alexander Frolushkin (SIB); 'Martin Kosek'; [email protected] > Subject: RE: [Freeipa-users] user account without password > > >> Also, if such account will also exist locally (my case), it will not > >> be controlled by HBAC rules - it can be a some kind of security trap... > > >Pretty sure accounts should be either local or domain-wide, but not both. > Could lead to strange and unforeseen side effects. Last I checked, only local > accounts can run services. It may be advantageous to allow local accounts > (which can run services) to have a representation in the domain, but the local > >accounts need to be scoped to the local machine (e.g., "apache" on server 1 > is different than "apache" on server 2). At least that way, they could belong > to the same groups domain accounts belong to. SSO certainly shouldn't work. > Any access to shared storage should distinguish between same-named > >accounts on different machines. > > >Alternatively, allowing domain accounts to run certain services also > >has some merit. (assuming the user has permissions to do so.) > > >Just thinking into email. > >Bryce > > I have a long and positive experience using both local and IPA users with the > same attributes, but without HBAC and without sudo way to obtain shell of > such users. > Default settings in nsswitch.conf and pam provides straight and clear systems > behavior, for about three years. > But I agree there can be case when such construction may lead to > misbehavior and so on. We will try to avoid them. > SSO not really the aim for us, we just need to made a environment where > users must remember only one password to access all resources on > unix/linux servers. > > Not trying to argue, just sharing some thoughts :) Alexander > > ________________________________ > > Информация в этом сообщении предназначена исключительно для > конкретных лиц, которым она адресована. В сообщении может > содержаться конфиденциальная информация, которая не может быть > раскрыта или использована кем-либо, кроме адресатов. Если вы не > адресат этого сообщения, то использование, переадресация, > копирование или распространение содержания сообщения или его > части незаконно и запрещено. Если Вы получили это сообщение > ошибочно, пожалуйста, незамедлительно сообщите отправителю об > этом и удалите со всем содержимым само сообщение и любые > возможные его копии и приложения. > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized > to receive it. It may contain confidential or legally privileged information. > The > contents may not be disclosed or used by anyone other than the addressee. > If you are not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it is > prohibited and may be unlawful. If you have received this communication in > error please notify us immediately by responding to this email and then > delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
