Re: [Freeipa-users] Different primary group on different machines.
On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote: We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) I think what you need are filesystem acls. With acls you can specify that new files in a dir structure will have predefined default groups so all members of that particular group will be able to modify the files. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
Well, you do not need ACLs for that, just 'chmod g+s directory' will do. But in general, I agree, this is insane requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix permissions? Go for ACLs. The only pity is that the current Posix-draft hack widely used on all Linuxes is a mess and Rich-acl support is still nowhere in sight :-( Ondrej On 10/26/2012 09:07 AM, Natxo Asenjo wrote: On Thu, Oct 25, 2012 at 9:11 PM, KodaKsako...@gmail.com wrote: We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) I think what you need are filesystem acls. With acls you can specify that new files in a dir structure will have predefined default groups so all members of that particular group will be able to modify the files. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
hi, yes, you are correct :-). Being a recent nfsv4 acls fan has made me forget that. -- Groeten, natxo On Fri, Oct 26, 2012 at 9:36 AM, Ondrej Valousek ondr...@s3group.cz wrote: Well, you do not need ACLs for that, just 'chmod g+s directory' will do. But in general, I agree, this is insane requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix permissions? Go for ACLs. The only pity is that the current Posix-draft hack widely used on all Linuxes is a mess and Rich-acl support is still nowhere in sight :-( Ondrej On 10/26/2012 09:07 AM, Natxo Asenjo wrote: On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote: We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) I think what you need are filesystem acls. With acls you can specify that new files in a dir structure will have predefined default groups so all members of that particular group will be able to modify the files. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
Sorry sir, but technically it is the sgid bit that is a gross hack. The Posix draft for ACLs never got final approval, but it is pretty standardized across most OSs, and works fine for any Linux OS that isn;t on ancient kernels. It is also enabled by default on all file systems that matter normally. I agree with you that the sgid bit is a big hack here and that default ACL rules are much more flexible in general. Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL compatibility will also be much more complex than Posix ACLs, and does not add anything special for the default ACL use case. Frankly speaking, I do not care too much if it is cool or not. What I do care about, is a real cross-platform compatibility necessary for commercial production usage. Posix-draft ACLs never got any final approval and are compatible across most of Linuxes (Windows uses something completely different and SunOS with its zfs filesystem, too). Moreover, there is NFSv4 which also comes with something different as you know and appliances like Netapp NAS does _only_ support NFSv4 ACL semantics. So whereas Posix ACLs might be perfect solution for most users/admins, future is somewhere else. I do not want to start any flame here, I just want a simple thing, I want to use ACLs which are robust enough to be really cross-platform compatible and widely supported so I know I they will be supported even in 5-10 years. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Different primary group on different machines.
I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On 10/25/2012 11:49 AM, KodaK wrote: I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason By reading the description of the command it seems that it works only for local accounts. So I suspect it is not effective in any case when the users come from LDAP and not file. That brings the question: what is the use case and why you need it and subsequently is there any other way to solve the problem you are trying to solve with already existing means in SSSD? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 11:49 AM, KodaK wrote: I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason By reading the description of the command it seems that it works only for local accounts. So I suspect it is not effective in any case when the users come from LDAP and not file. That brings the question: what is the use case and why you need it and subsequently is there any other way to solve the problem you are trying to solve with already existing means in SSSD? I have users that need different primary groups on different machines. The newgrp command works -- unfortunately putting it in a login script is a bad thing because newgrp reads those same login scripts, creating an infinite loop. We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On 10/25/2012 03:11 PM, KodaK wrote: On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 11:49 AM, KodaK wrote: I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason By reading the description of the command it seems that it works only for local accounts. So I suspect it is not effective in any case when the users come from LDAP and not file. That brings the question: what is the use case and why you need it and subsequently is there any other way to solve the problem you are trying to solve with already existing means in SSSD? I have users that need different primary groups on different machines. The newgrp command works -- unfortunately putting it in a login script is a bad thing because newgrp reads those same login scripts, creating an infinite loop. We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) Thanks, --Jason I see it to be solvable in two different ways. One centrally in IPA. Something like an extra attribute attached to HBAC rule that would denote the alternative default group. This is just from top of my head. I already see problems with this approach but anyways this is one direction. A different option is to have a local override in the sssd.conf and make SSSD swap primary group for the user but then you would have to configure it per user - not a nice approach too. Hmmm may be some kind of the sss_chache related utility that would update cache with the preferred GID, that would work as a command but has other implications - dealing with fast cache and server side changes that might override the value... Anyways not an easy fix. Can you please file an RFE? Would you be able to contribute some code for such feature? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On Thu, Oct 25, 2012 at 2:30 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 03:11 PM, KodaK wrote: On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote: On 10/25/2012 11:49 AM, KodaK wrote: I've been having users use the newgrp command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: if it works, use it -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another way to do it that might be better. Any thoughts? Thanks, --Jason By reading the description of the command it seems that it works only for local accounts. So I suspect it is not effective in any case when the users come from LDAP and not file. That brings the question: what is the use case and why you need it and subsequently is there any other way to solve the problem you are trying to solve with already existing means in SSSD? I have users that need different primary groups on different machines. The newgrp command works -- unfortunately putting it in a login script is a bad thing because newgrp reads those same login scripts, creating an infinite loop. We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) Thanks, --Jason I see it to be solvable in two different ways. One centrally in IPA. Something like an extra attribute attached to HBAC rule that would denote the alternative default group. This is just from top of my head. I already see problems with this approach but anyways this is one direction. I'd think it would have to be per-user or a separate policy area. these users get this pgrp on these servers. A different option is to have a local override in the sssd.conf and make SSSD swap primary group for the user but then you would have to configure it per user - not a nice approach too. Hmmm may be some kind of the sss_chache related utility that would update cache with the preferred GID, that would work as a command but has other implications - dealing with fast cache and server side changes that might override the value... Anyways not an easy fix. Can you please file an RFE? Sure. Where do I do that? :) (I'm kidding, I'll google it.) Would you be able to contribute some code for such feature? I'd love to say I could, but I'm not really a coder, and my day job has me working 50-60 hours a week as it is. And when I say I'd love to I really mean it. I'd rather be doing that than my day job. :) --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users