[Freeipa-devel] Purpose of default user group

Tue Mar 10 15:55:58 UTC 2015

On Tue, 10 Mar 2015, Petr Spacek wrote:
>On 10.3.2015 16:01, Jakub Hrozek wrote:
>> On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote:
>>> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>>>> Petr Vobornik wrote:
>>>>> Hi,
>>>>>
>>>>> I would like to ask what is a purpose of a default user group - by
>>>>> default ipausers? Default group is also a required field in ipa config.
>>>>
>>>> To be able to apply some (undefined) group policy to all users. I'm not
>>>> aware that it has ever been used for this.
>>>
>>> I would also interested in the use cases, especially given all the pain we have
>>> with ipausers and large user bases. Especially that for current policies (SUDO,
>>> HBAC, SELinux user policy), we always have other means to specify "all users".
>>
>> yes, but those means usually specify both AD and IPA users, right?
>>
>> I always thought "ipausers" is a handy shortcut for selecting IPA users
>> only and not AD users.
>
>I always thought that "ipausers" is an equivalent of "domain users" in AD
>world (compare with "Trusted domain users").
>
>In my admin life I considered "domain users" to be useful alias for real
>authenticated user accounts (compare with "Everyone" = even unauthenticated
>access, "Authenticated users" = includes machine accounts too.)
>
>
>Moreover, getting rid of ipausers does not help with 'big groups problem' in
>any way. E.g. at university you are almost inevitably going to have groups
>like 'students' which will contain more than 90 % of users anyway.
For what use we need this distinction in IPA itself?
- ACI (permissions) have separate notion to describe
  anonymous/any authenticated dichotomy
- HBAC has 'all' category for users which in HBAC context means all
  authenticated users

Where else we would need ipausers other than default POSIX group which
we are not using it for?
-- 
/ Alexander Bokovoy