On Mon, Apr 09, 2018 at 04:32:00PM +0000, Charles Hedrick wrote: > I’m trying to support an odd configuration. > > We have an IPA system, which is used in the normal way for systems run by > staff. But we have hundreds of systems run by faculty and grad students. I’d > like to encourage them to integrate with our system. However their usernames > and UIDs don’t typically match ours. I don’t think there’s much I can do > about usernames. But I’d at least like to survive differing UIDs. Kerberos > and even NFS V4 don’t care about UIDs. > > So I set up sssd pointing to IPA, with access_provider = deny (meaning only > people accepted by pam_unix can login), and nsswitch.conf having “files sss." > If a user logins in with the Kerberos password they’re logged in correctly, > but they can’t access their own Kerberos credentials. > > Their logged in UID is the one in /etc/passwd, because login correctly obeys > nsswitch. But their Kerberos credentials are for the UID in IPA. > > I can change id_provider to proxy/files. But then the sss nsswitch map > doesn’t work. I need to get groups from IPA in order to interpret groups on > our Netapp. I’d like to get users from IPA when there isn’t an entry in > /etc/passwd, so that ls -l on the Netapp can interpret user names. > > So what I’d like is that when sssd creates Kerberos credentials, it uses the > same user that login is going to use, i.e. that it obeys nsswitch. Is this a > reasonable expectation? > > Going further, I’d like a way to do username mapping that will work with both > sssd and Kerberos. One approach would be to pay attention to the username map > in /etc/krb5.conf or idmapd.conf, since I’d have to put the mapping in both > (I think).
Maybe the krb5_map_user option can help, please see man sssd-krb5 for details. bye, Sumit > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
