On 2017-04-13 21:41, Kilian Cavalotti wrote:
Hi Janne,
On Thu, Apr 13, 2017 at 1:32 AM, Janne Blomqvist
<janne.blomqv...@aalto.fi> wrote:
Should work as of 16.05 unless you have some very peculiar setup. IIRC I
submitted some patch to get rid of the enumeration entirely, but
apparently SchedMD has customers who have multiple groups with the same
GID, and for that to work (whatever "work" means in that context) the
enumeration is necessary. But if you don't have crazy stuff like that it
should all work with enumeration disabled.
Well, even without dwelling into crazy stuff, enumeration is necessary
for things like getting a comprehensive list of all the members of a
primary group.
The way group membership usually works, users have:
* a primary group that is stored in the user record (either in
/etc/passwd or ou=accounts in LDAP)
* one or more secondary group(s), that are managed in a completely
separate branch (/etc/group or ou=groups in LDAP)
It's pretty easy to list all the members of a secondary group, because
they look like this: "secondary_group:user1,user2,..."
But for primary groups, they are in the form of "user1:primary_group",
so you have to be able to get the full list of users (through
enumeration) to be able to identify all the users that are part of
"primary_group"
And that's true, sssd is not reliable for enumeration, but it's still
required for some basic things.
Cheers,
The way slurm handles it without enumeration e.g. for checking whether a
user is allowed to use a partition with an AllowGroups= specifier is
that it checks all the groups listed in AllowGroups, and it also checks
whether the user primary group is in AllowGroups. So it does not need
enumeration in this case.
I'd even go as far as saying that software intended for use in large
environments shouldn't rely on enumeration, period.
--
Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist
Aalto University School of Science, PHYS & NBE
+358503841576 || janne.blomqv...@aalto.fi
