[Freeipa-users] ID Views without AD
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 10 08:19:45 UTC 2016
On Wed, 10 Feb 2016, Mike Kelly wrote:
>Hi,
>
>I'm attempting to use ID Views as a shim, to allow me to have an existing
>host work with FreeIPA without having to re-chown many many files.
>
>Here's my basic strategy, and where things seem to be failing:
>
>For any truly local groups (e.g. for specific local services), I continue
>to manage those in /etc/groups
>
>For any users, they should be managed in FreeIPA, especially the password
>and SSH Pubkeys. But, they should continue to appear with their old UIDs
>and GIDs on the server. This means the user doesn't exist in /etc/passwd or
>/etc/shadow anymore (or the local password would be used, as I understand
>it).
>
>An ID View is created, applied to this host, and has a user override added
>to override the UID and GID of the user.
>
>But, when I do this, I continue to see the usual UID and GID in the output
>of `id $USER`, etc, even after running `sss_cache -E` and `systemctl
>restart sssd`.
>
>Is there some extra logging I can turn on to see why this ID View isn't
>being applied like I would expect? Or perhaps some extra bit of
>configuration I missed?
Level 7 or 9 debug logs in SSSD on the client might help.
>I'm running a pair of CentOS 7 boxes, one acting as the FreeIPA server, and
>the other is the "legacy" box I want to shim FreeIPA into...
ID Views are only applied on machines where you have SSSD that supports
them, just to make sure.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list