Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Ondrej Valousek 

Sorry sir, but technically it is the sgid bit that is a gross hack.
The Posix draft for ACLs never got final approval, but it is pretty
standardized across most OSs, and works fine for any Linux OS that isn;t
on ancient kernels. It is also enabled by default on all file systems
that matter normally.

I agree with you that the sgid bit is a big hack here and that default ACL 
rules are much more flexible in general.

Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL
compatibility will also be much more complex than Posix ACLs, and does
not add anything special for the default ACL use case.
Frankly speaking, I do not care too much if it is cool or not. What I do care about, is a real cross-platform compatibility necessary for 
commercial production usage.
Posix-draft ACLs never got any final approval and are compatible across most of Linuxes (Windows uses something completely different and 
SunOS with its zfs filesystem, too). Moreover, there is NFSv4 which also comes with something different as you know and appliances like 
Netapp NAS does _only_ support NFSv4 ACL semantics.


So whereas Posix ACLs might be perfect solution for most users/admins, future is somewhere else. I do not want to start any flame here, I 
just want a simple thing, I want to use ACLs which are robust enough to be really cross-platform compatible and widely supported so I know I 
they will be supported even in 5-10 years.


Ondrej
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Simo Sorce 
On Fri, 2012-10-26 at 09:36 +0200, Ondrej Valousek wrote:
> Well, you do not need ACLs for that, just 'chmod g+s ' will
> do.

This is what makes people ask for changing the GID, which is suboptimal
on many accounts.

The reason why FreeIPA creates a User Private Group is that the default
umask prettyt much everywhere allows the primary group access to new
files created, so if the primary group is shared among users it means
that by default users cannot expect privacy. This is not nice.

> But in general, I agree, this is insane requirement as nobody would
> ever think of it in Windows. Not happy w/ a traditional Unix
> permissions? Go for ACLs.

Default ACLs are very, very useful and enormously more powerful than the
sgid bit. I strongly recommend using ACLs for complex default ownership
requirements.

> The only pity is that the current Posix-draft hack widely used on all
> Linuxes is a mess and Rich-acl support is still nowhere in sight :-(

Sorry sir, but technically it is the sgid bit that is a gross hack.
The Posix draft for ACLs never got final approval, but it is pretty
standardized across most OSs, and works fine for any Linux OS that isn;t
on ancient kernels. It is also enabled by default on all file systems
that matter normally.

Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL
compatibility will also be much more complex than Posix ACLs, and does
not add anything special for the default ACL use case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa user-find

2012-10-26 Thread Rich Megginson 

On 10/25/2012 08:33 PM, Steven Jones wrote:

I hadnt restarted but now I have, no difference.

wc -l says 1 but every other line is a blank, so yes 5000 seems likely.

There are just under 6000 AD users2 servers as this is in the test 
environment to test winsync and passyncboth are working as far as I can 
tell with the backported rpms.

Ok.  You may be running into https://fedorahosted.org/389/ticket/446

I believe ipa enables the anonymous limits feature.   I suggest 
increasing these limits.




regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 3:22 p.m.
To: Steven Jones
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 07:30 PM, Steven Jones wrote:

4

Both idlistscanlimit and lookthroughlimit?  And you're still hitting a
limit of 5000 entries?
How many entries in your database?
Have you tried restarting dirsrv?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 2:22 p.m.
To: Steven Jones
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 07:14 PM, Steven Jones wrote:

Hi,

Screenshot of access log output attached.

You increased the idlistscanlimit and lookthroughlimit?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, 26 October 2012 10:24 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa user-find

On 10/25/2012 02:46 PM, Steven Jones wrote:

Hi,

yes figured it

even at 2 Im still getting an administrative size limit exceeded (11)

This means you're either hitting the lookthroughlimit and/or the
idlistscanlimit.

The idlistscanlimit is described here -
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Database_Plug_in_Attributes.html#nsslapd_idlistscanlimit

I suggest changing the value to be 2 times as large as the number of
entries in your database, just to be safe:

ldapmodify -x -D "cn=directory manager" -W  Configuration ->  Search size limit

rob


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 25 October 2012 3:40 p.m.
To:

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Natxo Asenjo 
hi,

yes, you are correct :-). Being a recent nfsv4 acls fan has made me forget that.

--
Groeten,
natxo


On Fri, Oct 26, 2012 at 9:36 AM, Ondrej Valousek  wrote:
> Well, you do not need ACLs for that, just 'chmod g+s ' will do.
> But in general, I agree, this is insane requirement as nobody would ever
> think of it in Windows. Not happy w/ a traditional Unix permissions? Go for
> ACLs.
> The only pity is that the current Posix-draft hack widely used on all
> Linuxes is a mess and Rich-acl support is still nowhere in sight :-(
>
> Ondrej
>
> On 10/26/2012 09:07 AM, Natxo Asenjo wrote:
>
> On Thu, Oct 25, 2012 at 9:11 PM, KodaK  wrote:
>
> We have many different development groups, but people can be members
> of multiple groups.  For collaboration, they'd like it when creating a
> file to have that file have a group ownership of "foo" on machine-A,
> but "bar" on machine-B.  I'd like to help the end users do this
> themselves so that I don't have to maintain separate files on each
> machine (one of the reasons I put in IPA in the first place. :) )
>
> I think what you need are filesystem acls. With acls you can specify
> that new files in a dir structure will have predefined default groups
> so all members of that particular group will be able to modify the
> files.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Ondrej Valousek 

Well, you do not need ACLs for that, just 'chmod g+s ' will do.
But in general, I agree, this is insane requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix 
permissions? Go for ACLs.

The only pity is that the current Posix-draft hack widely used on all Linuxes 
is a mess and Rich-acl support is still nowhere in sight :-(

Ondrej

On 10/26/2012 09:07 AM, Natxo Asenjo wrote:

On Thu, Oct 25, 2012 at 9:11 PM, KodaK  wrote:


We have many different development groups, but people can be members
of multiple groups.  For collaboration, they'd like it when creating a
file to have that file have a group ownership of "foo" on machine-A,
but "bar" on machine-B.  I'd like to help the end users do this
themselves so that I don't have to maintain separate files on each
machine (one of the reasons I put in IPA in the first place. :) )

I think what you need are filesystem acls. With acls you can specify
that new files in a dir structure will have predefined default groups
so all members of that particular group will be able to modify the
files.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Natxo Asenjo 
On Thu, Oct 25, 2012 at 9:11 PM, KodaK  wrote:

> We have many different development groups, but people can be members
> of multiple groups.  For collaboration, they'd like it when creating a
> file to have that file have a group ownership of "foo" on machine-A,
> but "bar" on machine-B.  I'd like to help the end users do this
> themselves so that I don't have to maintain separate files on each
> machine (one of the reasons I put in IPA in the first place. :) )

I think what you need are filesystem acls. With acls you can specify
that new files in a dir structure will have predefined default groups
so all members of that particular group will be able to modify the
files.

-- 
groet,
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users