On Wed, 2016-08-24 at 16:28 +0200, Petr Spacek wrote: > On 24.8.2016 15:59, Joakim Tjernlund wrote: > > > > On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote: > > > > > > On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote: > > > > > > > > > > > > On (24/08/16 09:10), Joakim Tjernlund wrote: > > > > > > > > > > > > > > > On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote: > > > > > > > > > > > > > > > > > > On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Getting to the of our AD domain migration but there is one > > > > > > > > > > step I haven't solved. > > > > > > > > > > Our users has UID/GID in the new domain while the already > > > > > > > > > > present users in the new domain > > > > > > > > > > does not. Assigning UID/GID to all users does not sit well > > > > > > > > > > with upstream IT so I am > > > > > > > > > > looking at what to do with these when they visit/access our > > > > > > > > > > site. > > > > > > > > > > > > > > > > > > > > What comes to mind is partial id_mapping, if a user had > > > > > > > > > > UID/GID in the AD use that, > > > > > > > > > > otherwise > > > > > > > > > > do id_mapping for that user(preferably the same way samba > > > > > > > > > > does it since we already have a > > > > > > > > > > samba > > > > > > > > > > based interim solution). > > > > > > > > > > > > > > > > > > > > I haven't found a way to do that in sssd, is there? > > > > > > > > > > Maybe I am just full of it and this is really a bad idea? > > > > > > > > > > > > > > > > > > Are you using FreeIPA? FreeIPA got support for "ID Views" > > > > > > > > > which can be used > > > > > > > > > for this purpose. (I'm not very sure about pure-SSSD case.) > > > > > > > > > > > > It is also possible in the pure-SSSD case, see man sss_override for > > > > > > details. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I wish, but this is a Windows AD :( > > > > > > > > > > > > > > Petr had IPA-AD trusts in mind, I guess. > > > > > > > > > > > > > > Partial ID mapping is not possible, sorry. > > > > > > > > > > > > yes, SSSD cannot do this automatically because we can never be sure > > > > > > that > > > > > > a UID/GID attribute will be added in future to a user who currently > > > > > > does not have them set. > > > > > > > > > > I see, but does not sssd refresh/check cached values against AD > > > > > regularly? > > > > > Or mark the non UID/GID user as do not cache? > > > > > > > > > I am not sure you understand it correctly. > > > > > > > > sssd does not support partial ID mapping intentionally. > > > > > > > > let's image. The partial ID mapping would be enabled but neither of > > > > uses have posix attibutes. So sssd would generate UID/GID from SID. > > > > > > > > Then later someone decide to add UID and GID into Active Directory. > > > > But there is a chance that administrator would not be carefull > > > > and assign IDs which are already generated from SID for another user. > > > > If the another user had higer privileges then it would be a security > > > > problem. > > > > > > ...also files would had to be chown-ed, so at the very least there is a > > > huge annoyance to the admins and risk to locking out users away from > > > their files because you forget to chown some files.. > > > > > > > OK, so no good way to fix this problem as it is now. > > But, so I am sure, if we were get a subdomain to INFINERA.COM say > > SE.INFINERA.COM it would be > > possible to have UID/GID in SE.INFINERA.COM and idmapping in INFINERA.COM? > > What about group membership, can a SE.INFINERA.COM user be in a group in > > INFINERA.COM and vice versa? > > > > But the we would have to deal with TRANSMODE.SE(old to be retired), > > SE.INFINERA.COM and INFINERA.COM in > > sssd.conf et. all? > > AFAIK IPA<->AD trust would allow you to have only the IPA domain in sssd.conf > on clients and manage everything else on IPA servers/database. This includes > UID/GID overrides and so on.
hmm, I was thinking we would have a Windows AD subdomain. I think FreeIPA will be a bit too much for our IT staff to handle. Jocke _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
