[Freeipa-users] Creating arbitrary users?

coy.hile at coyhile.com coy.hile at coyhile.com
Tue Apr 7 14:16:45 UTC 2015 

Quoting Simo Sorce <simo at redhat.com>

> On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
>> In MIT land, one can potentially have multiple instances tied (by
>> convention) to a given user (that is, that administratively one knows
>> are the same set of eyeballs).  For example, I might have my normal
>> user (hile), and I might have another distinct MIT principal
>> hile/admin used when I’m doing administrative work in the kerb
>> database, or potentially yet another hile/vpn for remote access.  Only
>> the first of these is a ‘real’ user that needs to have a uid, gid,
>> home directory, and shell; the others are just Kerberos principals
>> that might have differing password policies applied to them.  In
>> FreeIPA, it appears all kerberos principals are tied to a user (or to
>> a host in the case of host/ or another service definition). Is it
>> possible to define a non-posix user?  There is no good reason for
>> hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never
>> login directly using that principal.
>
> Early on when we created FreeIPA we decided against providing
> alternative principals for the same user as it made things a lot more
> complex for little gain. To this day we still do not support them.
>
> Keep in mind that adding a principal is not the whole story, once you do
> that  then you probably still want to associate it to some user, and
> assign privileges and allow alternative principal names to ssh into some
> machines, which means distributing k5login files or providing explicit
> support in the new aname2lname plugin.
>
> To do all this means adding new objects and configuration facilities to
> handle these special non-users, we haven't yet found enough benefit in
> adding support for these to warrant the work involved.
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
I guess that makes sense. Is it possible to add a user that simply  
doesn't have the posix attributes  defined? In the particular case of  
*/admin, I would expect that user to login to the ipa ui or to be  
kinit'd to prior to running ipa administrative commands, but I should  
hope that it should never login directly. 

Does that question make more sense? 


Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone


-------- Original message --------
From: Simo Sorce <simo at redhat.com>
Date:04/07/2015  08:52  (GMT-05:00)
To: coy.hile at coyhile.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Creating arbitrary users?

More information about the Freeipa-users mailing list