[Freeipa-users] Local users/groups to IPA Transition
Dmitri Pal
dpal at redhat.com
Thu Aug 14 10:35:47 UTC 2014
On 07/31/2014 04:45 PM, Baird, Josh wrote:
>> I wouldn't recommend duplicating your users, pick one and use that. If you
>> want to be able to manage your users, groups, HBAC, sudo, etc.
>> centrally then you'll want the users in IPA. But if you leave them locally you
>> may end up with corner case problems.
>>
>> If you *do* end up adding your local users to IPA then yeah, you've got a
>> decision to make. Either your use the existing UID/GID which is probably fine
>> (though you may want to look adding a local range) or you let IPA assign a
>> new UID from its own range, then you have to quickly change file ownership
>> on all enrolled systems.
>>
> Well, the users are definitely going to be in IPA (or AD via IPA). However, they *will* exist in both IPA and locally during the migration period. If they have the same UID/GIDs in both places (local and IPA), then I will need to prefer IPA to 'files' in nsswitch.conf. The main reason I want to duplicate the local UID/GID's in IPA is to retain file permissions.
>
> Josh
>
I want to add that IPA is working on the concept of views. This means
that once it is implemented you would be able to have UID/GID in IPA and
users in AD.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list