Simon, that's where I don't catch ( sorry) :
> You are asking it to know about "unknown" users If you say in nsswitch.conf : passwd: local sss group: sss local Then sss should know about users that are in local /etc/passwd and may retrieve their groups in ldap ? Why would that be inconsistent not to insert users entries in ldap in that situation ? BTW, I don' think that ldap requires that an entry exists for a posixgroup memberuid ? --- Olivier 2012/3/14 Simo Sorce <[email protected]>: > On Wed, 2012-03-14 at 17:13 +0100, Olivier wrote: >> Thanks Simon, >> >> that's what I will do as a first approx I think, >> however I'm not sure that this will meet my >> need : >> >> 1- there are some sysacounts that I need on >> certain machines (linked for example to specific >> applications installed on them) that I wouldn't like >> to be accessible or even visible from others ; > > Use user filters on the other machines if they really bother you, but if > you are referencing them in groups you are not really keeping them > secret anyways. > >> 2- I will need to maintain an additional source of >> information ( and I'm lazy :-), moreover will this >> new source always rightly synchronized with >> local passwd databases ? ) > > Use a script that dumps locally the users from ldap, so that you > maintain those users in only one place win-win :) > >> 3- some accounts may have slightly different information >> from one boxe to anther ( different home directory for >> example ). > > That's ok, you are overriding the central ones completely for > getpwnam/getpwuid purposes. > >> In brieve, the behaviour that would be great for me would be : >> if nsswitch says that sss is the primary source of information >> for groups, then returns all ldap groups for users, and add the >> primary group declared locally if the primary group for that user >> can't be found in ldap. > > The problem is that sssd wants to be self-consistent. You are asking it > to know about "unknown" users only for grouping purposes. It's basically > a hack. So hack per hack I think you'd be better off using the trick of > shadowing users by adding them in passwd and keeping a copy in ldap. > > The only case where you may have issues is if uid/gid need to mismatch > but that shouldn't normally cause big issues as the only information you > lookup from ssd is group membership and that does not rely on uids/gids > to match. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
