[Freeipa-users] Local users/groups to IPA Transition

[Dmitri Pal]

On 07/31/2014 04:45 PM, Baird, Josh wrote:
>> I wouldn't recommend duplicating your users, pick one and use that. If you
>> want to be able to manage your users, groups, HBAC, sudo, etc.
>> centrally then you'll want the users in IPA. But if you leave them locally you
>> may end up with corner case problems.
>>
>> If you *do* end up adding your local users to IPA then yeah, you've got a
>> decision to make. Either your use the existing UID/GID which is probably fine
>> (though you may want to look adding a local range) or you let IPA assign a
>> new UID from its own range, then you have to quickly change file ownership
>> on all enrolled systems.
>>
> Well, the users are definitely going to be in IPA (or AD via IPA).  However, they *will* exist in both IPA and locally during the migration period.  If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf.  The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions.
>
> Josh
>
I want to add that IPA is working on the concept of views. This means 
that once it is implemented you would be able to have UID/GID in IPA and 
users in AD.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.