On 24.8.2016 15:59, Joakim Tjernlund wrote: > On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote: >> On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote: >>> >>> On (24/08/16 09:10), Joakim Tjernlund wrote: >>>> >>>> On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote: >>>>> >>>>> On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote: >>>>>> >>>>>> >>>>>> On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: >>>>>>> >>>>>>> >>>>>>> On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 24.8.2016 09:03, Joakim Tjernlund wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Getting to the of our AD domain migration but there is one step I >>>>>>>>> haven't solved. >>>>>>>>> Our users has UID/GID in the new domain while the already present >>>>>>>>> users in the new domain >>>>>>>>> does not. Assigning UID/GID to all users does not sit well with >>>>>>>>> upstream IT so I am >>>>>>>>> looking at what to do with these when they visit/access our site. >>>>>>>>> >>>>>>>>> What comes to mind is partial id_mapping, if a user had UID/GID in >>>>>>>>> the AD use that, otherwise >>>>>>>>> do id_mapping for that user(preferably the same way samba does it >>>>>>>>> since we already have a >>>>>>>>> samba >>>>>>>>> based interim solution). >>>>>>>>> >>>>>>>>> I haven't found a way to do that in sssd, is there? >>>>>>>>> Maybe I am just full of it and this is really a bad idea? >>>>>>>> >>>>>>>> Are you using FreeIPA? FreeIPA got support for "ID Views" which can be >>>>>>>> used >>>>>>>> for this purpose. (I'm not very sure about pure-SSSD case.) >>>>> >>>>> It is also possible in the pure-SSSD case, see man sss_override for >>>>> details. >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> I wish, but this is a Windows AD :( >>>>>> >>>>>> Petr had IPA-AD trusts in mind, I guess. >>>>>> >>>>>> Partial ID mapping is not possible, sorry. >>>>> >>>>> yes, SSSD cannot do this automatically because we can never be sure that >>>>> a UID/GID attribute will be added in future to a user who currently >>>>> does not have them set. >>>> >>>> I see, but does not sssd refresh/check cached values against AD regularly? >>>> Or mark the non UID/GID user as do not cache? >>>> >>> I am not sure you understand it correctly. >>> >>> sssd does not support partial ID mapping intentionally. >>> >>> let's image. The partial ID mapping would be enabled but neither of >>> uses have posix attibutes. So sssd would generate UID/GID from SID. >>> >>> Then later someone decide to add UID and GID into Active Directory. >>> But there is a chance that administrator would not be carefull >>> and assign IDs which are already generated from SID for another user. >>> If the another user had higer privileges then it would be a security >>> problem. >> >> ...also files would had to be chown-ed, so at the very least there is a >> huge annoyance to the admins and risk to locking out users away from >> their files because you forget to chown some files.. >> > > OK, so no good way to fix this problem as it is now. > But, so I am sure, if we were get a subdomain to INFINERA.COM say > SE.INFINERA.COM it would be > possible to have UID/GID in SE.INFINERA.COM and idmapping in INFINERA.COM? > What about group membership, can a SE.INFINERA.COM user be in a group in > INFINERA.COM and vice versa? > > But the we would have to deal with TRANSMODE.SE(old to be retired), > SE.INFINERA.COM and INFINERA.COM in > sssd.conf et. all?
AFAIK IPA<->AD trust would allow you to have only the IPA domain in sssd.conf on clients and manage everything else on IPA servers/database. This includes UID/GID overrides and so on. If you are interested in details, please ask [email protected] mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek @ Red Hat _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
