Re: [Freeipa-devel] Purpose of default user group
Thanks all for the answers. On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: In ipa migrate-ds we also set the group to all users who are not member of anything. Why is it important for a user to be a member of a group? Every POSIX user needs a default GID. We don't create user-private groups for migrated users. How should default GID be set during migration? IMHO there are two issues: 1. ipausers group is not a POSIX group. Which, btw, also creates this nice issue: $ ipa user-add fbar --noprivate First name: Foo Last name: Bar ipa: ERROR: Default group for new users is not POSIX 2. migrated users have to be POSIX therefore they have gidnumber and migrate-ds checks for its presence. But the command doesn't do anything with the GID number later even if the group doesn't exist nor in a step where default group is set. Therefore, default group, even if POSIX, would not work for this use case(set default GID number). Q: Is it expected that user private groups will be migrated? (e.g. for migration from other FreeIPA instance). If not, then there would be a lot of users without a private group with the same GID number as UID number. Q: Why don't we allow to create user private group? What would be better if migrating from FreeIPA instance: migrate private groups or create new private groups using Managed Entries plugin? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
Petr Vobornik wrote: Thanks all for the answers. On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: In ipa migrate-ds we also set the group to all users who are not member of anything. Why is it important for a user to be a member of a group? Every POSIX user needs a default GID. We don't create user-private groups for migrated users. IPA to IPA migration is a bit of a special case, and not something we really planned on (though we've tended to keep it basically working). Migration was expected to be from an existing LDAP server providing POSIX users and groups. How should default GID be set during migration? IMHO there are two issues: 1. ipausers group is not a POSIX group. Which, btw, also creates this nice issue: $ ipa user-add fbar --noprivate First name: Foo Last name: Bar ipa: ERROR: Default group for new users is not POSIX Right, we assumed that incoming user would already have valid groups. 2. migrated users have to be POSIX therefore they have gidnumber and migrate-ds checks for its presence. But the command doesn't do anything with the GID number later even if the group doesn't exist nor in a step where default group is set. Therefore, default group, even if POSIX, would not work for this use case(set default GID number). It does verify that the GID points to an existing group. If not you'll get a warning like: GID number %s of migrated user %s does not point to a known group. Q: Is it expected that user private groups will be migrated? (e.g. for migration from other FreeIPA instance). If not, then there would be a lot of users without a private group with the same GID number as UID number. IPA to IPA migration wasn't really planned out, so no. It is slightly complex because it will add another remote LDAP call for each user to see if they have an existing group in their name and ensure that the group contains no members (or only this user). And then later when groups are migrated skip over the existing private group silently. Q: Why don't we allow to create user private group? What would be better if migrating from FreeIPA instance: migrate private groups or create new private groups using Managed Entries plugin? Because of the additional logic in evaluating what the current state of groups is on the remote server. It's doable but it would be slower. Worth an RFE I think. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On 10.3.2015 16:01, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. I always thought that ipausers is an equivalent of domain users in AD world (compare with Trusted domain users). In my admin life I considered domain users to be useful alias for real authenticated user accounts (compare with Everyone = even unauthenticated access, Authenticated users = includes machine accounts too.) Moreover, getting rid of ipausers does not help with 'big groups problem' in any way. E.g. at university you are almost inevitably going to have groups like 'students' which will contain more than 90 % of users anyway. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
Alexander Bokovoy wrote: On Tue, 10 Mar 2015, Petr Spacek wrote: On 10.3.2015 16:01, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. I always thought that ipausers is an equivalent of domain users in AD world (compare with Trusted domain users). In my admin life I considered domain users to be useful alias for real authenticated user accounts (compare with Everyone = even unauthenticated access, Authenticated users = includes machine accounts too.) Moreover, getting rid of ipausers does not help with 'big groups problem' in any way. E.g. at university you are almost inevitably going to have groups like 'students' which will contain more than 90 % of users anyway. For what use we need this distinction in IPA itself? - ACI (permissions) have separate notion to describe anonymous/any authenticated dichotomy - HBAC has 'all' category for users which in HBAC context means all authenticated users Where else we would need ipausers other than default POSIX group which we are not using it for? Petr's point is that deleting ipausers is a short-term solution that ignores the underlying problem. But yeah, ipausers is a solution looking for a problem AFAIK. It was a future-proofing move because if we ever decided we needed on, slurping in all the users at once and adding to some common group would be time-consuming. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On 03/10/2015 05:08 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 10 Mar 2015, Petr Spacek wrote: On 10.3.2015 16:01, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. I always thought that ipausers is an equivalent of domain users in AD world (compare with Trusted domain users). In my admin life I considered domain users to be useful alias for real authenticated user accounts (compare with Everyone = even unauthenticated access, Authenticated users = includes machine accounts too.) Moreover, getting rid of ipausers does not help with 'big groups problem' in any way. E.g. at university you are almost inevitably going to have groups like 'students' which will contain more than 90 % of users anyway. For what use we need this distinction in IPA itself? - ACI (permissions) have separate notion to describe anonymous/any authenticated dichotomy - HBAC has 'all' category for users which in HBAC context means all authenticated users Where else we would need ipausers other than default POSIX group which we are not using it for? Petr's point is that deleting ipausers is a short-term solution that ignores the underlying problem. But yeah, ipausers is a solution looking for a problem AFAIK. It was a future-proofing move because if we ever decided we needed on, slurping in all the users at once and adding to some common group would be time-consuming. I wonder if it would help if these special groups do not have explicit members defined, but are more descriptive. Something like DS Dynamic Groups [1]. If we could define - ipausers are all users in this container having this objectclass and DS and SSSD would take care of the rest. I am not sure if it would help with performance, it would be easier at least for managing the membership. I am also not sure how would we create the group for AD users. [1] https://fedorahosted.org/389/ticket/128 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On Tue, 2015-03-10 at 16:01 +0100, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. We should probably turn ipausers into a fully virtual group that is added to the user's Authorization data in the KDC (MS-PAC or in future PAD). This way it will be possible to reference it in sssd but will not create issues with memberships in the server. But we need the PAD first, I guess. (we could do something with authentication indicators too, but that would be a hack). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Purpose of default user group
Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. In ipa migrate-ds we also set the group to all users who are not member of anything. Why is it important for a user to be a member of a group? Thank you -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. In ipa migrate-ds we also set the group to all users who are not member of anything. Why is it important for a user to be a member of a group? Thank you Every POSIX user needs a default GID. We don't create user-private groups for migrated users. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On Tue, 10 Mar 2015, Simo Sorce wrote: On Tue, 2015-03-10 at 16:01 +0100, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. We should probably turn ipausers into a fully virtual group that is added to the user's Authorization data in the KDC (MS-PAC or in future PAD). This way it will be possible to reference it in sssd but will not create issues with memberships in the server. But we need the PAD first, I guess. (we could do something with authentication indicators too, but that would be a hack). Yep. If we need ipausers for POSIX context interpretation on IPA clients, PAD would be our choice as we already do with MS-PAC for AD users. Within LDAP server, if we want to address all IPA users to do some mass operations on them, I think we probably should have some specialized control that would give 389-ds chance to optimize on building this list of users before applying an operation to them. This would be something non-standard but more efficient than what we are doing right now. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On Tue, 10 Mar 2015, Petr Spacek wrote: On 10.3.2015 16:01, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. I always thought that ipausers is an equivalent of domain users in AD world (compare with Trusted domain users). In my admin life I considered domain users to be useful alias for real authenticated user accounts (compare with Everyone = even unauthenticated access, Authenticated users = includes machine accounts too.) Moreover, getting rid of ipausers does not help with 'big groups problem' in any way. E.g. at university you are almost inevitably going to have groups like 'students' which will contain more than 90 % of users anyway. For what use we need this distinction in IPA itself? - ACI (permissions) have separate notion to describe anonymous/any authenticated dichotomy - HBAC has 'all' category for users which in HBAC context means all authenticated users Where else we would need ipausers other than default POSIX group which we are not using it for? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. In ipa migrate-ds we also set the group to all users who are not member of anything. Why is it important for a user to be a member of a group? Thank you Every POSIX user needs a default GID. We don't create user-private groups for migrated users. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Purpose of default user group
On 10.3.2015 16:55, Alexander Bokovoy wrote: On Tue, 10 Mar 2015, Petr Spacek wrote: On 10.3.2015 16:01, Jakub Hrozek wrote: On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able to apply some (undefined) group policy to all users. I'm not aware that it has ever been used for this. I would also interested in the use cases, especially given all the pain we have with ipausers and large user bases. Especially that for current policies (SUDO, HBAC, SELinux user policy), we always have other means to specify all users. yes, but those means usually specify both AD and IPA users, right? I always thought ipausers is a handy shortcut for selecting IPA users only and not AD users. I always thought that ipausers is an equivalent of domain users in AD world (compare with Trusted domain users). In my admin life I considered domain users to be useful alias for real authenticated user accounts (compare with Everyone = even unauthenticated access, Authenticated users = includes machine accounts too.) Moreover, getting rid of ipausers does not help with 'big groups problem' in any way. E.g. at university you are almost inevitably going to have groups like 'students' which will contain more than 90 % of users anyway. For what use we need this distinction in IPA itself? - ACI (permissions) have separate notion to describe anonymous/any authenticated dichotomy - HBAC has 'all' category for users which in HBAC context means all authenticated users Where else we would need ipausers other than default POSIX group which we are not using it for? Ah, it is not a POSIX group? Too bad. I was using AD domain users for file permissions so POSIX group equivalent is what I had in mind. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code