On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
On (24/08/16 09:10), Joakim Tjernlund wrote:
>On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
>> On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
>> >
>> > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
>> > >
>> > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
>> > > >
>> > > > On 24.8.2016 09:03, Joakim Tjernlund wrote:
>> > > > >
>> > > > >
>> > > > > Getting to the of our AD domain migration but there is one
step I haven't solved.
>> > > > > Our users has UID/GID in the new domain while the already
present users in the new domain
>> > > > > does not. Assigning UID/GID to all users does not sit well
with upstream IT so I am
>> > > > > looking at what to do with these when they visit/access our
site.
>> > > > >
>> > > > > What comes to mind is partial id_mapping, if a user had
UID/GID in the AD use that, otherwise
>> > > > > do id_mapping for that user(preferably the same way samba
does it since we already have a samba
>> > > > > based interim solution).
>> > > > >
>> > > > > I haven't found a way to do that in sssd, is there?
>> > > > > Maybe I am just full of it and this is really a bad idea?
>> > > >
>> > > > Are you using FreeIPA? FreeIPA got support for "ID
Views" which can be used
>> > > > for this purpose. (I'm not very sure about pure-SSSD case.)
>>
>> It is also possible in the pure-SSSD case, see man sss_override for
>> details.
>>
>> >
>> > >
>> > >
>> > > I wish, but this is a Windows AD :(
>> >
>> > Petr had IPA-AD trusts in mind, I guess.
>> >
>> > Partial ID mapping is not possible, sorry.
>>
>> yes, SSSD cannot do this automatically because we can never be sure that
>> a UID/GID attribute will be added in future to a user who currently
>> does not have them set.
>
>I see, but does not sssd refresh/check cached values against AD regularly?
>Or mark the non UID/GID user as do not cache?
>
I am not sure you understand it correctly.
sssd does not support partial ID mapping intentionally.
let's image. The partial ID mapping would be enabled but neither of
uses have posix attibutes. So sssd would generate UID/GID from SID.
Then later someone decide to add UID and GID into Active Directory.
But there is a chance that administrator would not be carefull
and assign IDs which are already generated from SID for another user.
If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a
huge annoyance to the admins and risk to locking out users away from
their files because you forget to chown some files..