[Freeipa-users] migration plan from local accounts

[Simo Sorce]

On Thu, 2012-01-05 at 16:20 -0500, Sylvain Angers wrote:
> Hello
> 
> 
> We have a mixed environment of AIX, and linux servers
> All our user accounts are still set locally - no NIS, and we do not
> have unique uid/gid toward our  hosts!!!
> I am evaluating the possibility of using Redhat Identity management in
> our environment
> I have to figure out what AIX will be able to support - we would at
> least want to be able to limit who could access what on aix
> so if you have dealt with AIX, let me knows
> 
> 
> but here my main question
> 
> 
> My question is how do I deal with our current local users? 
> When user DAVE get freeipa id 10000000567, do you have to chown every
> files he has on a local machine while he might has uid/gid 501 ?

Are your usernames aligned ?

If so you can do the migration in steps.

Start with creating a FreeIPA server with all your users named the same
as what you are currently using on your machines.

Also if you have a mojority of machines that use the same name<->uid
mapping you may think of forcing the same name<->uid mapping in freeipa,
but unless you ahev a substantial number of machines that agree on all
uid then it is probably much better to have a clean break against all
machine so that you are not tricked on machines where only a susbset
matches.

Once you have the server up you can start unifying just the
authentication part by enabling kerberos authentication for your local
users on the AIX machine but still using the local accounts for uid/gid
purposes.

Once login is unified on kerberos you can go and convert one machine at
a time to use ldap instead of local file and perform the necessary uid
changes on file acls.
For groups I'd be more careful, the problem there is that if you have
different groupings on different machines just assuming groups are the
same because they have the same name may open up security issues.

One way to handle that would be to deprecate all old groups and create
new groups in freeipa with names that do not match any of the local
groups you currently have, then determine a policy to reassign within
the next year group permissions on files slowly phasing out local
groups.

> I guess we will have to byte the bullet and have a unique id for every
> users - right?

In the long term yes, but above I gave you a way to at least have a
migration that you can handle over a period of time instead of having to
change all your machines in one night.

> Is there a simple migration plan from local to freeipa?

UID/GID migrations unfortunately are never simple. I have been involved
with this issues for years and there are no magic bullets, but there are
ways to mitigate the impact of a migration so that it becomes manageable
at least.
One more piece of advice, verify if you are using NFS anywhere, because
each machine connected to a NFS server becomes part of a "virtual
cluster" that needs to either be broken or converted all at the same
time, making migrations suddenly a bit more difficult.

> do we have to migrate an account at the time do an account at the
> time, so if account doe not exist locally, it will check remote?

This depdends very much on how AIX manages to discover users.
On linux depending on the nsswitch.conf order of database a local user
can prevail on a remote one, but I do not recall how that works with
AIX, which uses LAM modules (IIRC).

> I am missing the big picture

HTH,
Simo.


-- 
Simo Sorce * Red Hat, Inc * New York