Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Natxo Asenjo
On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote:

 We have many different development groups, but people can be members
 of multiple groups.  For collaboration, they'd like it when creating a
 file to have that file have a group ownership of foo on machine-A,
 but bar on machine-B.  I'd like to help the end users do this
 themselves so that I don't have to maintain separate files on each
 machine (one of the reasons I put in IPA in the first place. :) )

I think what you need are filesystem acls. With acls you can specify
that new files in a dir structure will have predefined default groups
so all members of that particular group will be able to modify the
files.

-- 
groet,
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Ondrej Valousek

Well, you do not need ACLs for that, just 'chmod g+s directory' will do.
But in general, I agree, this is insane requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix 
permissions? Go for ACLs.

The only pity is that the current Posix-draft hack widely used on all Linuxes 
is a mess and Rich-acl support is still nowhere in sight :-(

Ondrej

On 10/26/2012 09:07 AM, Natxo Asenjo wrote:

On Thu, Oct 25, 2012 at 9:11 PM, KodaKsako...@gmail.com  wrote:


We have many different development groups, but people can be members
of multiple groups.  For collaboration, they'd like it when creating a
file to have that file have a group ownership of foo on machine-A,
but bar on machine-B.  I'd like to help the end users do this
themselves so that I don't have to maintain separate files on each
machine (one of the reasons I put in IPA in the first place. :) )

I think what you need are filesystem acls. With acls you can specify
that new files in a dir structure will have predefined default groups
so all members of that particular group will be able to modify the
files.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Natxo Asenjo
hi,

yes, you are correct :-). Being a recent nfsv4 acls fan has made me forget that.

--
Groeten,
natxo


On Fri, Oct 26, 2012 at 9:36 AM, Ondrej Valousek ondr...@s3group.cz wrote:
 Well, you do not need ACLs for that, just 'chmod g+s directory' will do.
 But in general, I agree, this is insane requirement as nobody would ever
 think of it in Windows. Not happy w/ a traditional Unix permissions? Go for
 ACLs.
 The only pity is that the current Posix-draft hack widely used on all
 Linuxes is a mess and Rich-acl support is still nowhere in sight :-(

 Ondrej

 On 10/26/2012 09:07 AM, Natxo Asenjo wrote:

 On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote:

 We have many different development groups, but people can be members
 of multiple groups.  For collaboration, they'd like it when creating a
 file to have that file have a group ownership of foo on machine-A,
 but bar on machine-B.  I'd like to help the end users do this
 themselves so that I don't have to maintain separate files on each
 machine (one of the reasons I put in IPA in the first place. :) )

 I think what you need are filesystem acls. With acls you can specify
 that new files in a dir structure will have predefined default groups
 so all members of that particular group will be able to modify the
 files.


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Simo Sorce
On Fri, 2012-10-26 at 09:36 +0200, Ondrej Valousek wrote:
 Well, you do not need ACLs for that, just 'chmod g+s directory' will
 do.

This is what makes people ask for changing the GID, which is suboptimal
on many accounts.

The reason why FreeIPA creates a User Private Group is that the default
umask prettyt much everywhere allows the primary group access to new
files created, so if the primary group is shared among users it means
that by default users cannot expect privacy. This is not nice.

 But in general, I agree, this is insane requirement as nobody would
 ever think of it in Windows. Not happy w/ a traditional Unix
 permissions? Go for ACLs.

Default ACLs are very, very useful and enormously more powerful than the
sgid bit. I strongly recommend using ACLs for complex default ownership
requirements.

 The only pity is that the current Posix-draft hack widely used on all
 Linuxes is a mess and Rich-acl support is still nowhere in sight :-(

Sorry sir, but technically it is the sgid bit that is a gross hack.
The Posix draft for ACLs never got final approval, but it is pretty
standardized across most OSs, and works fine for any Linux OS that isn;t
on ancient kernels. It is also enabled by default on all file systems
that matter normally.

Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL
compatibility will also be much more complex than Posix ACLs, and does
not add anything special for the default ACL use case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Ondrej Valousek

Sorry sir, but technically it is the sgid bit that is a gross hack.
The Posix draft for ACLs never got final approval, but it is pretty
standardized across most OSs, and works fine for any Linux OS that isn;t
on ancient kernels. It is also enabled by default on all file systems
that matter normally.

I agree with you that the sgid bit is a big hack here and that default ACL 
rules are much more flexible in general.

Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL
compatibility will also be much more complex than Posix ACLs, and does
not add anything special for the default ACL use case.
Frankly speaking, I do not care too much if it is cool or not. What I do care about, is a real cross-platform compatibility necessary for 
commercial production usage.
Posix-draft ACLs never got any final approval and are compatible across most of Linuxes (Windows uses something completely different and 
SunOS with its zfs filesystem, too). Moreover, there is NFSv4 which also comes with something different as you know and appliances like 
Netapp NAS does _only_ support NFSv4 ACL semantics.


So whereas Posix ACLs might be perfect solution for most users/admins, future is somewhere else. I do not want to start any flame here, I 
just want a simple thing, I want to use ACLs which are robust enough to be really cross-platform compatible and widely supported so I know I 
they will be supported even in 5-10 years.


Ondrej
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different primary group on different machines.

2012-10-25 Thread Dmitri Pal
On 10/25/2012 11:49 AM, KodaK wrote:
 I've been having users use the newgrp command to change their
 primary group on different machines.

 I've poked around in the docs a bit and I don't see this addressed.  I
 know, I know: if it works, use it -- but I'm wondering if I'm just
 missing a way to do it with IPA, or if there's another way to do it
 that might be better.

 Any thoughts?

 Thanks,

 --Jason

By reading the description of the command it seems that it works only
for local accounts.
So I suspect it is not effective in any case when the users come from
LDAP and not file.

That brings the question: what is the use case and why you need it and
subsequently is there any other way to solve the problem you are trying
to solve with already existing means in SSSD? 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Different primary group on different machines.

2012-10-25 Thread KodaK
On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote:
 On 10/25/2012 11:49 AM, KodaK wrote:
 I've been having users use the newgrp command to change their
 primary group on different machines.

 I've poked around in the docs a bit and I don't see this addressed.  I
 know, I know: if it works, use it -- but I'm wondering if I'm just
 missing a way to do it with IPA, or if there's another way to do it
 that might be better.

 Any thoughts?

 Thanks,

 --Jason

 By reading the description of the command it seems that it works only
 for local accounts.
 So I suspect it is not effective in any case when the users come from
 LDAP and not file.

 That brings the question: what is the use case and why you need it and
 subsequently is there any other way to solve the problem you are trying
 to solve with already existing means in SSSD?


I have users that need different primary groups on different machines.
 The newgrp command works -- unfortunately putting it in a login
script is a bad thing because newgrp reads those same login scripts,
creating an infinite loop.

We have many different development groups, but people can be members
of multiple groups.  For collaboration, they'd like it when creating a
file to have that file have a group ownership of foo on machine-A,
but bar on machine-B.  I'd like to help the end users do this
themselves so that I don't have to maintain separate files on each
machine (one of the reasons I put in IPA in the first place. :) )

Thanks,

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Different primary group on different machines.

2012-10-25 Thread Dmitri Pal
On 10/25/2012 03:11 PM, KodaK wrote:
 On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote:
 On 10/25/2012 11:49 AM, KodaK wrote:
 I've been having users use the newgrp command to change their
 primary group on different machines.

 I've poked around in the docs a bit and I don't see this addressed.  I
 know, I know: if it works, use it -- but I'm wondering if I'm just
 missing a way to do it with IPA, or if there's another way to do it
 that might be better.

 Any thoughts?

 Thanks,

 --Jason

 By reading the description of the command it seems that it works only
 for local accounts.
 So I suspect it is not effective in any case when the users come from
 LDAP and not file.

 That brings the question: what is the use case and why you need it and
 subsequently is there any other way to solve the problem you are trying
 to solve with already existing means in SSSD?

 I have users that need different primary groups on different machines.
  The newgrp command works -- unfortunately putting it in a login
 script is a bad thing because newgrp reads those same login scripts,
 creating an infinite loop.

 We have many different development groups, but people can be members
 of multiple groups.  For collaboration, they'd like it when creating a
 file to have that file have a group ownership of foo on machine-A,
 but bar on machine-B.  I'd like to help the end users do this
 themselves so that I don't have to maintain separate files on each
 machine (one of the reasons I put in IPA in the first place. :) )

 Thanks,

 --Jason
I see it to be solvable in two different ways.
One centrally in IPA. Something like an extra attribute attached to HBAC
rule that would denote the alternative default group. This is just from
top of my head. I already see problems with this approach but anyways
this is one direction.
A different option is to have a local override in the sssd.conf and make
SSSD swap primary group for the user but then you would have to
configure it per user - not a nice approach too.
Hmmm may be some kind of the sss_chache related utility that would
update cache with the preferred GID, that would work as a command but
has other implications - dealing with fast cache and server side changes
that might override the value...

Anyways not an easy fix. Can you please file an RFE?

Would you be able to contribute some code for such feature?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Different primary group on different machines.

2012-10-25 Thread KodaK
On Thu, Oct 25, 2012 at 2:30 PM, Dmitri Pal d...@redhat.com wrote:
 On 10/25/2012 03:11 PM, KodaK wrote:
 On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote:
 On 10/25/2012 11:49 AM, KodaK wrote:
 I've been having users use the newgrp command to change their
 primary group on different machines.

 I've poked around in the docs a bit and I don't see this addressed.  I
 know, I know: if it works, use it -- but I'm wondering if I'm just
 missing a way to do it with IPA, or if there's another way to do it
 that might be better.

 Any thoughts?

 Thanks,

 --Jason

 By reading the description of the command it seems that it works only
 for local accounts.
 So I suspect it is not effective in any case when the users come from
 LDAP and not file.

 That brings the question: what is the use case and why you need it and
 subsequently is there any other way to solve the problem you are trying
 to solve with already existing means in SSSD?

 I have users that need different primary groups on different machines.
  The newgrp command works -- unfortunately putting it in a login
 script is a bad thing because newgrp reads those same login scripts,
 creating an infinite loop.

 We have many different development groups, but people can be members
 of multiple groups.  For collaboration, they'd like it when creating a
 file to have that file have a group ownership of foo on machine-A,
 but bar on machine-B.  I'd like to help the end users do this
 themselves so that I don't have to maintain separate files on each
 machine (one of the reasons I put in IPA in the first place. :) )

 Thanks,

 --Jason
 I see it to be solvable in two different ways.
 One centrally in IPA. Something like an extra attribute attached to HBAC
 rule that would denote the alternative default group. This is just from
 top of my head. I already see problems with this approach but anyways
 this is one direction.

I'd think it would have to be per-user or a separate policy area.
these users get this pgrp on these servers.

 A different option is to have a local override in the sssd.conf and make
 SSSD swap primary group for the user but then you would have to
 configure it per user - not a nice approach too.
 Hmmm may be some kind of the sss_chache related utility that would
 update cache with the preferred GID, that would work as a command but
 has other implications - dealing with fast cache and server side changes
 that might override the value...

 Anyways not an easy fix. Can you please file an RFE?

Sure.  Where do I do that?  :)  (I'm kidding, I'll google it.)

 Would you be able to contribute some code for such feature?

I'd love to say I could, but I'm not really a coder, and my day job
has me working 50-60 hours a week as it is.  And when I say I'd love
to I really mean it.  I'd rather be doing that than my day job. :)

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users