Hello, usually domain users used to run services AND to make some administration work. Some of users only used to run services. Also, there is a number of domain users, for example, "oracle" which is very important for application life, so we duplicating such users locally, to make sure it resolving is not depend on sssd (we still not thinking it is completely rock-stable, sorry :)). I have limited experience with NFS and domain users, in case of security, anyway. We do have a special nfs server sharing its filesystems to other services and using the same domain user on all this servers. For now I cannot remember any issues related this complex.
-----Original Message----- From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us] Sent: Monday, April 13, 2015 9:19 PM To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users@redhat.com Subject: RE: [Freeipa-users] user account without password Hi Alex, Just because I gave up doesn't mean there isn't a way. Does your partitioning of local/domain users allow a domain user to run a service on a machine? I was trying to run an iPython notebook server as my regular user/domain account via systemd. Much of the data that the service needed access to resided on a multi-Terabyte NFS share, hence the desire to make it work with my domain account. IIRC, systemd was the thing choking on the domain user. Do you just manually create a local user with the same attributes as the domain user? (and in the case of the above use NFS with sec=host)? Thanks, Bryce > -----Original Message----- > From: Alexander Frolushkin [mailto:alexander.frolush...@megafon.ru] > Sent: Sunday, April 12, 2015 9:27 PM > To: Nordgren, Bryce L -FS; 'Martin Kosek'; freeipa-users@redhat.com > Subject: RE: [Freeipa-users] user account without password > > -----Original Message----- > From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us] > Sent: Friday, April 10, 2015 9:27 PM > To: Alexander Frolushkin (SIB); 'Martin Kosek'; > freeipa-users@redhat.com > Subject: RE: [Freeipa-users] user account without password > > >> Also, if such account will also exist locally (my case), it will > >> not be controlled by HBAC rules - it can be a some kind of security trap... > > >Pretty sure accounts should be either local or domain-wide, but not both. > Could lead to strange and unforeseen side effects. Last I checked, > only local accounts can run services. It may be advantageous to allow > local accounts (which can run services) to have a representation in > the domain, but the local > >accounts need to be scoped to the local machine (e.g., "apache" on > >server 1 > is different than "apache" on server 2). At least that way, they could > belong to the same groups domain accounts belong to. SSO certainly shouldn't > work. > Any access to shared storage should distinguish between same-named > >accounts on different machines. > > >Alternatively, allowing domain accounts to run certain services also > >has some merit. (assuming the user has permissions to do so.) > > >Just thinking into email. > >Bryce > > I have a long and positive experience using both local and IPA users > with the same attributes, but without HBAC and without sudo way to > obtain shell of such users. > Default settings in nsswitch.conf and pam provides straight and clear > systems behavior, for about three years. > But I agree there can be case when such construction may lead to > misbehavior and so on. We will try to avoid them. > SSO not really the aim for us, we just need to made a environment > where users must remember only one password to access all resources on > unix/linux servers. > > Not trying to argue, just sharing some thoughts :) Alexander > > ________________________________ > > Информация в этом сообщении предназначена исключительно для конкретных > лиц, которым она адресована. В сообщении может содержаться > конфиденциальная информация, которая не может быть раскрыта или > использована кем-либо, кроме адресатов. Если вы не адресат этого > сообщения, то использование, переадресация, копирование или > распространение содержания сообщения или его части незаконно и > запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, > незамедлительно сообщите отправителю об этом и удалите со всем > содержимым само сообщение и любые возможные его копии и приложения. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by anyone > other than the addressee. > If you are not the intended recipient(s), any use, disclosure, > copying, distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have received > this communication in error please notify us immediately by responding > to this email and then delete the e-mail and all attachments and any copies > thereof. > > (c)20mf50 ________________________________ Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
