On Wed, 10 Feb 2016, Mike Kelly wrote:
I'm attempting to use ID Views as a shim, to allow me to have an existing
host work with FreeIPA without having to re-chown many many files.
Here's my basic strategy, and where things seem to be failing:
For any truly local groups (e.g. for specific local services), I continue
to manage those in /etc/groups
For any users, they should be managed in FreeIPA, especially the password
and SSH Pubkeys. But, they should continue to appear with their old UIDs
and GIDs on the server. This means the user doesn't exist in /etc/passwd or
/etc/shadow anymore (or the local password would be used, as I understand
An ID View is created, applied to this host, and has a user override added
to override the UID and GID of the user.
But, when I do this, I continue to see the usual UID and GID in the output
of `id $USER`, etc, even after running `sss_cache -E` and `systemctl
Is there some extra logging I can turn on to see why this ID View isn't
being applied like I would expect? Or perhaps some extra bit of
configuration I missed?
Level 7 or 9 debug logs in SSSD on the client might help.
I'm running a pair of CentOS 7 boxes, one acting as the FreeIPA server, and
the other is the "legacy" box I want to shim FreeIPA into...
ID Views are only applied on machines where you have SSSD that supports
them, just to make sure.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project