[Freeipa-users] Local users/groups to IPA Transition

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Thu Jul 31 15:23:50 UTC 2014 

> Well, the users are definitely going to be in IPA (or AD via IPA).  However,
> they *will* exist in both IPA and locally during the migration period.  If they
> have the same UID/GIDs in both places (local and IPA), then I will need to
> prefer IPA to 'files' in nsswitch.conf.  The main reason I want to duplicate the
> local UID/GID's in IPA is to retain file permissions.

The initial state and final state of your domain is identical to the initial and final states of each individual machine. The transition period is composed of some machines being migrated and some machines not migrated yet. Those which are not migrated yet have the users in /etc/passwd and have no knowledge of ipa. Those which are migrated should get users from ipa and the duplicate users purged out of /etc/passwd. Setting up a machine with ipa and forgetting to delete the users out of /etc/passwd is probably asking for trouble.

This is a separate problem from keeping UIDs the same or not. If you've got NFS set up, you need to either simultaneously migrate all the machines which share files, or you need to keep UIDs/GIDs the same so you can migrate individual machines at your leisure. Separately, you need to tradeoff how much work it is to configure FreeIPA to just continue with your current scheme (set it up to allocate UIDs picking up where you left off) vs. "find and chown" files on all your machines as part of the migration process. If neither option sounds attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA uses after it takes over.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Freeipa-users mailing list