[Freeipa-users] Creating arbitrary users?

Dmitri Pal dpal at redhat.com
Tue Apr 7 21:40:04 UTC 2015 

On 04/07/2015 10:22 AM, Simo Sorce wrote:
> On Tue, 2015-04-07 at 14:16 +0000, coy.hile at coyhile.com wrote:
>> Quoting Simo Sorce <simo at redhat.com>
>>
>>> On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
>>>> In MIT land, one can potentially have multiple instances tied (by
>>>> convention) to a given user (that is, that administratively one knows
>>>> are the same set of eyeballs).  For example, I might have my normal
>>>> user (hile), and I might have another distinct MIT principal
>>>> hile/admin used when I’m doing administrative work in the kerb
>>>> database, or potentially yet another hile/vpn for remote access.  Only
>>>> the first of these is a ‘real’ user that needs to have a uid, gid,
>>>> home directory, and shell; the others are just Kerberos principals
>>>> that might have differing password policies applied to them.  In
>>>> FreeIPA, it appears all kerberos principals are tied to a user (or to
>>>> a host in the case of host/ or another service definition). Is it
>>>> possible to define a non-posix user?  There is no good reason for
>>>> hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never
>>>> login directly using that principal.
>>> Early on when we created FreeIPA we decided against providing
>>> alternative principals for the same user as it made things a lot more
>>> complex for little gain. To this day we still do not support them.
>>>
>>> Keep in mind that adding a principal is not the whole story, once you do
>>> that  then you probably still want to associate it to some user, and
>>> assign privileges and allow alternative principal names to ssh into some
>>> machines, which means distributing k5login files or providing explicit
>>> support in the new aname2lname plugin.
>>>
>>> To do all this means adding new objects and configuration facilities to
>>> handle these special non-users, we haven't yet found enough benefit in
>>> adding support for these to warrant the work involved.
>>>
>>> Simo.
>>>
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>> I guess that makes sense. Is it possible to add a user that simply
>> doesn't have the posix attributes  defined? In the particular case of
>> */admin, I would expect that user to login to the ipa ui or to be
>> kinit'd to prior to running ipa administrative commands, but I should
>> hope that it should never login directly.
>>
>> Does that question make more sense?
> It does, but we do not have such a feature, sorry.
>
> Simo.
>
>
Would setting shell to NULL help?
What do you want to prevent? SSH logins? You can have host based access 
control rules for that.
May be a better explanation of why you need this user to not have posix 
would be beneficial.
You can have posix users and still prevent them from logging where they 
should not be able to log in.



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list