On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
> On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
>>
>> On (24/08/16 09:10), Joakim Tjernlund wrote:
>>>
>>> On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
>>>>
>>>> On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
>>>>>
>>>>>
>>>>> On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 24.8.2016 09:03, Joakim Tjernlund wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Getting to the of our AD domain migration but there is
one step I haven't solved.
>>>>>>>> Our users has UID/GID in the new domain while the already
present users in the new domain
>>>>>>>> does not. Assigning UID/GID to all users does not sit
well with upstream IT so I am
>>>>>>>> looking at what to do with these when they visit/access
our site.
>>>>>>>>
>>>>>>>> What comes to mind is partial id_mapping, if a user had
UID/GID in the AD use that, otherwise
>>>>>>>> do id_mapping for that user(preferably the same way samba
does it since we already have a
>>>>>>>> samba
>>>>>>>> based interim solution).
>>>>>>>>
>>>>>>>> I haven't found a way to do that in sssd, is there?
>>>>>>>> Maybe I am just full of it and this is really a bad
idea?
>>>>>>>
>>>>>>> Are you using FreeIPA? FreeIPA got support for "ID
Views" which can be used
>>>>>>> for this purpose. (I'm not very sure about pure-SSSD
case.)
>>>>
>>>> It is also possible in the pure-SSSD case, see man sss_override for
>>>> details.
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I wish, but this is a Windows AD :(
>>>>>
>>>>> Petr had IPA-AD trusts in mind, I guess.
>>>>>
>>>>> Partial ID mapping is not possible, sorry.
>>>>
>>>> yes, SSSD cannot do this automatically because we can never be sure that
>>>> a UID/GID attribute will be added in future to a user who currently
>>>> does not have them set.
>>>
>>> I see, but does not sssd refresh/check cached values against AD regularly?
>>> Or mark the non UID/GID user as do not cache?
>>>
>> I am not sure you understand it correctly.
>>
>> sssd does not support partial ID mapping intentionally.
>>
>> let's image. The partial ID mapping would be enabled but neither of
>> uses have posix attibutes. So sssd would generate UID/GID from SID.
>>
>> Then later someone decide to add UID and GID into Active Directory.
>> But there is a chance that administrator would not be carefull
>> and assign IDs which are already generated from SID for another user.
>> If the another user had higer privileges then it would be a security problem.
>
> ...also files would had to be chown-ed, so at the very least there is a
> huge annoyance to the admins and risk to locking out users away from
> their files because you forget to chown some files..
>
OK, so no good way to fix this problem as it is now.
But, so I am sure, if we were get a subdomain to
INFINERA.COM say
SE.INFINERA.COM it
would be
possible to have UID/GID in
SE.INFINERA.COM and idmapping in INFINERA.COM?
What about group membership, can a
SE.INFINERA.COM user be in a group in
INFINERA.COM and
vice versa?
But the we would have to deal with TRANSMODE.SE(old to be retired),
SE.INFINERA.COM and
INFINERA.COM in
sssd.conf et. all?
AFAIK IPA<->AD trust would allow you to have only the IPA domain in sssd.conf
on clients and manage everything else on IPA servers/database. This includes
UID/GID overrides and so on.
If you are interested in details, please ask freeipa-users(a)redhat.com mailing
list: