I’m trying to support an odd configuration.

We have an IPA system, which is used in the normal way for systems run by 
staff. But we have hundreds of systems run by faculty and grad students. I’d 
like to encourage them to integrate with our system. However their usernames 
and UIDs don’t typically match ours. I don’t think there’s much I can do about 
usernames. But I’d at least like to survive differing UIDs. Kerberos and even 
NFS V4 don’t care about UIDs.

So I set up sssd pointing to IPA, with access_provider = deny (meaning only 
people accepted by pam_unix can login), and nsswitch.conf having “files sss." 
If a user logins in with the Kerberos password they’re logged in correctly, but 
they can’t access their own Kerberos credentials.

Their logged in UID is the one in /etc/passwd, because login correctly obeys 
nsswitch. But their Kerberos credentials are for the UID in IPA.

I can change id_provider to proxy/files. But then the sss nsswitch map doesn’t 
work. I need to get groups from IPA in order to interpret groups on our Netapp. 
I’d like to get users from IPA when there isn’t an entry in /etc/passwd, so 
that ls -l on the Netapp can interpret user names.

So what I’d like is that when sssd creates Kerberos credentials, it uses the 
same user that login is going to use, i.e. that it obeys nsswitch. Is this a 
reasonable expectation?

Going further, I’d like a way to do username mapping that will work with both 
sssd and Kerberos. One approach would be to pay attention to the username map 
in /etc/krb5.conf or idmapd.conf, since I’d have to put the mapping in both (I 

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to