[Freeipa-users] user account without password

[Alexander Frolushkin]

-----Original Message-----
From: Nordgren, Bryce L -FS [mailto:bnordgren at fs.fed.us]
Sent: Friday, April 10, 2015 9:27 PM
To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users at redhat.com
Subject: RE: [Freeipa-users] user account without password

>> Also, if such account will also exist locally (my case), it will not
>> be controlled by HBAC rules - it can be a some kind of security trap...

>Pretty sure accounts should be either local or domain-wide, but not both. Could lead to strange and unforeseen side effects. Last I checked, only local accounts can run services. It may be advantageous to allow local accounts (which can run services) to have a representation in the domain, but the local >accounts need to be scoped to the local machine (e.g., "apache" on server 1 is different than "apache" on server 2). At least that way, they could belong to the same groups domain accounts belong to. SSO certainly shouldn't work. Any access to shared storage should distinguish between same-named >accounts on different machines.

>Alternatively, allowing domain accounts to run certain services also has some merit. (assuming the user has permissions to do so.)

>Just thinking into email.
>Bryce

I have a long and positive experience using both local and IPA users with the same attributes, but without HBAC and without sudo way to obtain shell of such users.
Default settings in nsswitch.conf and pam provides straight and clear systems behavior, for about three years.
But I agree there can be case when such construction may lead to misbehavior and so on. We will try to avoid them.
SSO not really the aim for us, we just need to made a environment where users must remember only one password to access all resources on unix/linux servers.

Not trying to argue, just sharing some thoughts :)
Alexander

________________________________

Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.

(c)20mf50