[Freeipa-users] Local users/groups to IPA Transition

Jakub Hrozek jhrozek at redhat.com
Thu Jul 31 15:45:10 UTC 2014 

On Thu, Jul 31, 2014 at 03:23:50PM +0000, Nordgren, Bryce L -FS wrote:
> 
> > Well, the users are definitely going to be in IPA (or AD via IPA).  However,
> > they *will* exist in both IPA and locally during the migration period.  If they
> > have the same UID/GIDs in both places (local and IPA), then I will need to
> > prefer IPA to 'files' in nsswitch.conf.  The main reason I want to duplicate the
> > local UID/GID's in IPA is to retain file permissions.
> 
> The initial state and final state of your domain is identical to the initial and final states of each individual machine. The transition period is composed of some machines being migrated and some machines not migrated yet. Those which are not migrated yet have the users in /etc/passwd and have no knowledge of ipa. Those which are migrated should get users from ipa and the duplicate users purged out of /etc/passwd. Setting up a machine with ipa and forgetting to delete the users out of /etc/passwd is probably asking for trouble.

+1 also please note that reversing the order of files and sss must be
handled with extreme care. For instance, if someone was smart enough to
name a user in IPA with the same name as some daemon user, then you'd
effectivelly shadow the daemon account from the machine..

Luckily sssd explicitly doesn't handle root, so even if you reversed the
order of files and sss, the sss nsswitch module would just punt on any
requests for root.

> 
> This is a separate problem from keeping UIDs the same or not. If you've got NFS set up, you need to either simultaneously migrate all the machines which share files, or you need to keep UIDs/GIDs the same so you can migrate individual machines at your leisure. Separately, you need to tradeoff how much work it is to configure FreeIPA to just continue with your current scheme (set it up to allocate UIDs picking up where you left off) vs. "find and chown" files on all your machines as part of the migration process. If neither option sounds attractive to you, perhaps you may find it acceptable to have the pre-FreeIPA block of UIDs separate from the block of UIDs FreeIPA uses after it takes over.
> 
> Bryce
> 
> 
> 
> 
> This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list