[Freeipa-users] Best practices on enrolling existing hosts.
Simo Sorce
simo at redhat.com
Thu Jun 30 14:43:00 UTC 2016
On Thu, 2016-06-30 at 10:32 -0400, Danila Ladner wrote:
> Hello folks.
> What are the best practices on enrolling existing hosts in infrastructure
> into FreeIPA
> What do we do with local users which are present on the hosts and overlap
> with users in FreeIPA, should we remove local users? What happens to the
> files, directories owned by them? Is it usually a manual process?
It is usually a manual process as host by host you need to determine if
the local user is actually the same user in the central system or
another user by the same name.
In latest FreeIPA we have ID Views, which allows you to remap posix
attibutes (including name, uidnumber and gidumber) exactly for cases
like this where pre-existing users may have incompatiblee nameing or
numbering attributes/schemes.
> I was thinking creating some salt states since we have around 800 hosts to
> remove local accounts, just not sure how i can remap files and directories
> to be owned by ipa users, IPA users have same usernames but apparently
> different GIDs and UIDs.
> Would be useful to hear some insights on what folks do in the
> implementation process.
In this case the admin would manually (or script) create a view for a
(group of) machine(s) and load the overrides in the ID View, and then
apply the ID View to the machine(s)
Docs here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html
Also here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html
note that ID Views are not confined just to AD trust environments this
second doc is just to have a wider view of the feature.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list