[Freeipa-devel] [RFC] Migrating existing environments to Trust

Simo Sorce simo at redhat.com
Fri Apr 18 13:40:31 UTC 2014

On Fri, 2014-04-18 at 13:39 +0200, Sumit Bose wrote:
> Hi Simo,
> Thank you for the comments. So it looks like supporting legacy setups
> where a single user has different POSIX IDs on different servers is a
> use case we want to support. It's fine by me, nevertheless I think it is
> bad admin practice to keep this kind of setups running and do a proper
> migration.

Much, *much* easier said than done.
I have been in this situation with customers before, once you have
enough machines cross-sharing disks over NFS, it is almost impossible to
do without taking the whole set offline for days or weeks.

> > Clearly this and administration mistake, and not something we should try
> > to address.
> > 
> > Use different groups for HBAC and UID views, period.
> If you really think it should be done this way we should make them
> different group types like hbac_hostgroups and view_hostsgroups (do we
> need sudo_hostgroups as well :-?).

No, we shouldn't :)

>  Seriously, I think the purpose of the
> hostgroups is to collect hosts with the same profile to allow easy
> management so that when a new host with the same profile is created it
> has to be put in only one group and automatically get the right HBAC and
> sudo rules, the right view etc.

Sure, but you will need additional groups if your HBAC access profile
and your views profiles do not match.

I think in practice hosts using different views will be isolated islands
and the chance you want to reuse the hostgroup that define the view for
HBAC and that the 2 sets of groups is not an identity or HABC is a
subset of the view group will be negligible.

I am confident admins understand how to deal with these cases.

> > > I think the best way to solve this is to say that in all views the UID
> > > will be the same.
> > 
> > Absolutely not, it would completely defeat the point of having views.
> > 
> > >  If the override UID is set the AD user will get this
> > > UID.  If the override UID is not set then it depends on the AD settings.
> > 
> > This is correct.
> > 
> > > If a UID is set in AD the user will get this one from AD if not he will
> > > have none at all, which is fine for the web apps use-case.
> > 
> > If there is none and SSSD does automatic mapping, then that's what SSSD
> > will set.
> As mentioned before we decided some time ago to not mix manual and
> automatically (algorithmic) mapping for the same domain. If we wanr to
> change this it might result in additional effort on the SSSD side. But
> as said before I do not see a problem to support user without POSIX IDs.

See my reply to dimitri, the solution needs to be tackled on the IPA
server not in SSSD for this, IMO.


Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list