On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote: > On (24/08/16 09:10), Joakim Tjernlund wrote: > >On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote: > >> On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote: > >> > > >> > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > >> > > > >> > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > >> > > > > >> > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > >> > > > > > >> > > > > > >> > > > > Getting to the of our AD domain migration but there is one step I > >> > > > > haven't solved. > >> > > > > Our users has UID/GID in the new domain while the already present > >> > > > > users in the new domain > >> > > > > does not. Assigning UID/GID to all users does not sit well with > >> > > > > upstream IT so I am > >> > > > > looking at what to do with these when they visit/access our site. > >> > > > > > >> > > > > What comes to mind is partial id_mapping, if a user had UID/GID in > >> > > > > the AD use that, otherwise > >> > > > > do id_mapping for that user(preferably the same way samba does it > >> > > > > since we already have a samba > >> > > > > based interim solution). > >> > > > > > >> > > > > I haven't found a way to do that in sssd, is there? > >> > > > > Maybe I am just full of it and this is really a bad idea? > >> > > > > >> > > > Are you using FreeIPA? FreeIPA got support for "ID Views" which can > >> > > > be used > >> > > > for this purpose. (I'm not very sure about pure-SSSD case.) > >> > >> It is also possible in the pure-SSSD case, see man sss_override for > >> details. > >> > >> > > >> > > > >> > > > >> > > I wish, but this is a Windows AD :( > >> > > >> > Petr had IPA-AD trusts in mind, I guess. > >> > > >> > Partial ID mapping is not possible, sorry. > >> > >> yes, SSSD cannot do this automatically because we can never be sure that > >> a UID/GID attribute will be added in future to a user who currently > >> does not have them set. > > > >I see, but does not sssd refresh/check cached values against AD regularly? > >Or mark the non UID/GID user as do not cache? > > > I am not sure you understand it correctly. > > sssd does not support partial ID mapping intentionally. > > let's image. The partial ID mapping would be enabled but neither of > uses have posix attibutes. So sssd would generate UID/GID from SID. > > Then later someone decide to add UID and GID into Active Directory. > But there is a chance that administrator would not be carefull > and assign IDs which are already generated from SID for another user. > If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a huge annoyance to the admins and risk to locking out users away from their files because you forget to chown some files.. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
