Re: [Freeipa-users] Local users/groups to IPA Transition
On 07/31/2014 04:45 PM, Baird, Josh wrote: I wouldn't recommend duplicating your users, pick one and use that. If you want to be able to manage your users, groups, HBAC, sudo, etc. centrally then you'll want the users in IPA. But if you leave them locally you may end up with corner case problems. If you *do* end up adding your local users to IPA then yeah, you've got a decision to make. Either your use the existing UID/GID which is probably fine (though you may want to look adding a local range) or you let IPA assign a new UID from its own range, then you have to quickly change file ownership on all enrolled systems. Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions. Josh I want to add that IPA is working on the concept of views. This means that once it is implemented you would be able to have UID/GID in IPA and users in AD. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
On Thu, Jul 31, 2014 at 03:23:50PM +, Nordgren, Bryce L -FS wrote: > > > Well, the users are definitely going to be in IPA (or AD via IPA). However, > > they *will* exist in both IPA and locally during the migration period. If > > they > > have the same UID/GIDs in both places (local and IPA), then I will need to > > prefer IPA to 'files' in nsswitch.conf. The main reason I want to > > duplicate the > > local UID/GID's in IPA is to retain file permissions. > > The initial state and final state of your domain is identical to the initial > and final states of each individual machine. The transition period is > composed of some machines being migrated and some machines not migrated yet. > Those which are not migrated yet have the users in /etc/passwd and have no > knowledge of ipa. Those which are migrated should get users from ipa and the > duplicate users purged out of /etc/passwd. Setting up a machine with ipa and > forgetting to delete the users out of /etc/passwd is probably asking for > trouble. +1 also please note that reversing the order of files and sss must be handled with extreme care. For instance, if someone was smart enough to name a user in IPA with the same name as some daemon user, then you'd effectivelly shadow the daemon account from the machine.. Luckily sssd explicitly doesn't handle root, so even if you reversed the order of files and sss, the sss nsswitch module would just punt on any requests for root. > > This is a separate problem from keeping UIDs the same or not. If you've got > NFS set up, you need to either simultaneously migrate all the machines which > share files, or you need to keep UIDs/GIDs the same so you can migrate > individual machines at your leisure. Separately, you need to tradeoff how > much work it is to configure FreeIPA to just continue with your current > scheme (set it up to allocate UIDs picking up where you left off) vs. "find > and chown" files on all your machines as part of the migration process. If > neither option sounds attractive to you, perhaps you may find it acceptable > to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA > uses after it takes over. > > Bryce > > > > > This electronic message contains information generated by the USDA solely for > the intended recipients. Any unauthorized interception of this message or the > use or disclosure of the information it contains may violate the law and > subject the violator to civil or criminal penalties. If you believe you have > received this message in error, please notify the sender and delete the email > immediately. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> Well, the users are definitely going to be in IPA (or AD via IPA). However, > they *will* exist in both IPA and locally during the migration period. If > they > have the same UID/GIDs in both places (local and IPA), then I will need to > prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate > the > local UID/GID's in IPA is to retain file permissions. The initial state and final state of your domain is identical to the initial and final states of each individual machine. The transition period is composed of some machines being migrated and some machines not migrated yet. Those which are not migrated yet have the users in /etc/passwd and have no knowledge of ipa. Those which are migrated should get users from ipa and the duplicate users purged out of /etc/passwd. Setting up a machine with ipa and forgetting to delete the users out of /etc/passwd is probably asking for trouble. This is a separate problem from keeping UIDs the same or not. If you've got NFS set up, you need to either simultaneously migrate all the machines which share files, or you need to keep UIDs/GIDs the same so you can migrate individual machines at your leisure. Separately, you need to tradeoff how much work it is to configure FreeIPA to just continue with your current scheme (set it up to allocate UIDs picking up where you left off) vs. "find and chown" files on all your machines as part of the migration process. If neither option sounds attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA uses after it takes over. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> I wouldn't recommend duplicating your users, pick one and use that. If you > want to be able to manage your users, groups, HBAC, sudo, etc. > centrally then you'll want the users in IPA. But if you leave them locally you > may end up with corner case problems. > > If you *do* end up adding your local users to IPA then yeah, you've got a > decision to make. Either your use the existing UID/GID which is probably fine > (though you may want to look adding a local range) or you let IPA assign a > new UID from its own range, then you have to quickly change file ownership > on all enrolled systems. > Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions. Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
Baird, Josh wrote: >> So if I understand this right, you're planning on two back to back user >> migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your >> current "local" users coincidentally the same as your current AD users? > > Well - I will likely try to skip the Local -> FreeIPA and just go directly to > FreeIPA -> AD. My main question though still remains - do I force the same > local UID/GIDs to the IPA/AD users? I'm just looking for advice on local > user to IPA migration strategies. I wouldn't recommend duplicating your users, pick one and use that. If you want to be able to manage your users, groups, HBAC, sudo, etc. centrally then you'll want the users in IPA. But if you leave them locally you may end up with corner case problems. If you *do* end up adding your local users to IPA then yeah, you've got a decision to make. Either your use the existing UID/GID which is probably fine (though you may want to look adding a local range) or you let IPA assign a new UID from its own range, then you have to quickly change file ownership on all enrolled systems. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> So if I understand this right, you're planning on two back to back user > migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your > current "local" users coincidentally the same as your current AD users? Well - I will likely try to skip the Local -> FreeIPA and just go directly to FreeIPA -> AD. My main question though still remains - do I force the same local UID/GIDs to the IPA/AD users? I'm just looking for advice on local user to IPA migration strategies. Josh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Local users/groups to IPA Transition
> We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our > UNIX infrastructure. All of our Linux hosts currently have standard and > consistent UID/GIDs for at least all of our administrative users. I'm looking > for advice on how to migrate these users into IPA. >... > Eventually we plan to configure a kerberos trust with our AD domain where > we could configure these UID/GIDs via AD's POSIX UID/GID settings. So if I understand this right, you're planning on two back to back user migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your current "local" users coincidentally the same as your current AD users? I'm probably a bad example. I centralized authentication for web apps about four years ago. I'm adopting FreeIPA because my desktops are "every machine for itself". I have the same username everywhere, but UIDs/GIDs are uncoordinated. More important to me is the fact that my passwords are related to whatever was in vogue when I set up the machine, and the machines were set up any time from this month to ten years ago. Converting to FreeIPA happened because I started thinking of my little domain as a place to manage collections of desktops instead of just collections of web applications. I'm also feverishly trying to setup an isolation layer between myself and AD, because my CIO is migrating from an "agency" directory to a "department" directory, with users migrating in batches not aligned to the projects I support. The isolation layer also allows me to continue to form groups composed of both AD and FreeIPA users, allows me to supplement or override user attributes for the local environment, and (cross-fingers) will allow for NFS file sharing with kerberos authenticated principals from more than one realm (assuming the Kerberos trust comes thru). Four birds with one stone. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
