Can sssd allocate uid/gid out of a pool unique to each domain? The mapping need not be
complex: "last_allocated+1" should suffice.
I'm motivated to ask the following question because I "supplement" our
official active directory with accounts for external partners/collaborators. Numeric
uid/gid fields could well collide because there's no coordination, nor is there likely
to be. In the long term, we'd like to fix that, and we'd like to convince our
powers-that-be that joining one or more larger "identity federations" is in
their best interest. But that puts us right back where we started, as uid/gids across
several large, mostly disconnected organizations are not going to be coordinated.
So: What reasons still exist to insist on coordination? Are we ready to make the leap to
coordinating the set of text-based-principals which are valid within a domain?
File sharing via NFS with "sec=sys" is just about the only obstruction I can
think of. Otherwise, uid/gids are local to each machine, and it is sufficient to allow
each machine to perform its own unique mapping from "valid username" to uid.
So if I either prohibit NFS entirely or insist on "sec=krb5", could I have a
gaggle of linux boxes which individually allocate uids and gids as they encounter valid
Kerberos credentials?
Sorry for wandering into the abstract there...this seemed an appropriate venue for
determining whether such a scheme was viable.
Bryce
This electronic message contains information generated by the USDA solely for the intended
recipients. Any unauthorized interception of this message or the use or disclosure of the
information it contains may violate the law and subject the violator to civil or criminal
penalties. If you believe you have received this message in error, please notify the
sender and delete the email immediately.