On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
> On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
> >
> > On (24/08/16 09:10), Joakim Tjernlund wrote:
> > >
> > > On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
> > > >
> > > > On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
> > > > >
> > > > >
> > > > > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund
wrote:
> > > > > >
> > > > > >
> > > > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
> > > > > > >
> > > > > > >
> > > > > > > On 24.8.2016 09:03, Joakim Tjernlund wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Getting to the of our AD domain migration but
there is one step I haven't solved.
> > > > > > > > Our users has UID/GID in the new domain while the
already present users in the new domain
> > > > > > > > does not. Assigning UID/GID to all users does not
sit well with upstream IT so I am
> > > > > > > > looking at what to do with these when they
visit/access our site.
> > > > > > > >
> > > > > > > > What comes to mind is partial id_mapping, if a
user had UID/GID in the AD use that, otherwise
> > > > > > > > do id_mapping for that user(preferably the same
way samba does it since we already have a
> > > > > > > > samba
> > > > > > > > based interim solution).
> > > > > > > >
> > > > > > > > I haven't found a way to do that in sssd, is
there?
> > > > > > > > Maybe I am just full of it and this is really a
bad idea?
> > > > > > >
> > > > > > > Are you using FreeIPA? FreeIPA got support for
"ID Views" which can be used
> > > > > > > for this purpose. (I'm not very sure about
pure-SSSD case.)
> > > >
> > > > It is also possible in the pure-SSSD case, see man sss_override for
> > > > details.
> > > >
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > I wish, but this is a Windows AD :(
> > > > >
> > > > > Petr had IPA-AD trusts in mind, I guess.
> > > > >
> > > > > Partial ID mapping is not possible, sorry.
> > > >
> > > > yes, SSSD cannot do this automatically because we can never be sure
that
> > > > a UID/GID attribute will be added in future to a user who currently
> > > > does not have them set.
> > >
> > > I see, but does not sssd refresh/check cached values against AD
regularly?
> > > Or mark the non UID/GID user as do not cache?
> > >
> > I am not sure you understand it correctly.
> >
> > sssd does not support partial ID mapping intentionally.
> >
> > let's image. The partial ID mapping would be enabled but neither of
> > uses have posix attibutes. So sssd would generate UID/GID from SID.
> >
> > Then later someone decide to add UID and GID into Active Directory.
> > But there is a chance that administrator would not be carefull
> > and assign IDs which are already generated from SID for another user.
> > If the another user had higer privileges then it would be a security problem.
>
> ...also files would had to be chown-ed, so at the very least there is a
> huge annoyance to the admins and risk to locking out users away from
> their files because you forget to chown some files..
>
OK, so no good way to fix this problem as it is now.
But, so I am sure, if we were get a subdomain to
INFINERA.COM say
SE.INFINERA.COM it
would be
possible to have UID/GID in
SE.INFINERA.COM and idmapping in INFINERA.COM?
What about group membership, can a
SE.INFINERA.COM user be in a group in
INFINERA.COM and
vice versa?
This is only possible if you define the domains separately in the config
file:
[
]
Because current sssd versions don't support different configurations for
the main domain and subdomain (and even if they did, I don't think
allowing different ID mappings for different subdomains would be a good
idea)