Are there any performance issues with having lots of views?

> On Apr 10, 2018, at 7:55 AM, Simo Sorce <> wrote:
> SSSD cares only about the users it detects by design.
> The solution is to use ID Views on IPA to change the users UIDs on those
> machines. Hving the same users in files and ipa with different UIDs is not
> going to go down well and messing with PAM is just going to mnake the system
> even more brittle.
> The proper migration is to remove users from /etc/passwd, and use an ID View 
> to
> "correct" any posix data on the target machines, until you can rebuild new 
> ones
> with the central names.
> Simo.
> On Mon, 2018-04-09 at 16:32 +0000, Charles Hedrick wrote:
>> I’m trying to support an odd configuration.
>> We have an IPA system, which is used in the normal way for systems run by 
>> staff. But we have hundreds of systems run by faculty and grad students. I’d 
>> like to encourage them to integrate with our system. However their usernames 
>> and UIDs don’t typically match ours. I don’t think there’s much I can do 
>> about usernames. But I’d at least like to survive differing UIDs. Kerberos 
>> and even NFS V4 don’t care about UIDs.
>> So I set up sssd pointing to IPA, with access_provider = deny (meaning only 
>> people accepted by pam_unix can login), and nsswitch.conf having “files 
>> sss." If a user logins in with the Kerberos password they’re logged in 
>> correctly, but they can’t access their own Kerberos credentials.
>> Their logged in UID is the one in /etc/passwd, because login correctly obeys 
>> nsswitch. But their Kerberos credentials are for the UID in IPA.
>> I can change id_provider to proxy/files. But then the sss nsswitch map 
>> doesn’t work. I need to get groups from IPA in order to interpret groups on 
>> our Netapp. I’d like to get users from IPA when there isn’t an entry in 
>> /etc/passwd, so that ls -l on the Netapp can interpret user names.
>> So what I’d like is that when sssd creates Kerberos credentials, it uses the 
>> same user that login is going to use, i.e. that it obeys nsswitch. Is this a 
>> reasonable expectation?
>> Going further, I’d like a way to do username mapping that will work with 
>> both sssd and Kerberos. One approach would be to pay attention to the 
>> username map in /etc/krb5.conf or idmapd.conf, since I’d have to put the 
>> mapping in both (I think).
>> _______________________________________________
>> sssd-users mailing list --
>> To unsubscribe send an email to
> -- 
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> _______________________________________________
> sssd-users mailing list --
> To unsubscribe send an email to

sssd-users mailing list --
To unsubscribe send an email to

Reply via email to