On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
> On 24.8.2016 09:03, Joakim Tjernlund wrote:
> >
> > Getting to the of our AD domain migration but there is one step I haven't
solved.
> > Our users has UID/GID in the new domain while the already present users in the
new domain
> > does not. Assigning UID/GID to all users does not sit well with upstream IT so
I amĀ
> > looking at what to do with these when they visit/access our site.
> >
> > What comes to mind is partial id_mapping, if a user had UID/GID in the AD use
that, otherwise
> > do id_mapping for that user(preferably the same way samba does it since we
already have a samba
> > based interim solution).
> >
> > I haven't found a way to do that in sssd, is there?
> > Maybe I am just full of it and this is really a bad idea?
>
> Are you using FreeIPA? FreeIPA got support for "ID Views" which can be
used
> for this purpose. (I'm not very sure about pure-SSSD case.)
I wish, but this is a Windows AD :(
Petr had IPA-AD trusts in mind, I guess.
Partial ID mapping is not possible, sorry.