Can sssd allocate uid/gid out of a pool unique to each domain? The mapping need not be complex: “last_allocated+1” should suffice.


I’m motivated to ask the following question because I “supplement” our official active directory with accounts for external partners/collaborators. Numeric uid/gid fields could well collide because there’s no coordination, nor is there likely to be. In the long term, we’d like to fix that, and we’d like to convince our powers-that-be that joining one or more larger “identity federations” is in their best interest. But that puts us right back where we started, as uid/gids across several large, mostly disconnected organizations are not going to be coordinated.


So: What reasons still exist to insist on coordination? Are we ready to make the leap to coordinating the set of text-based-principals which are valid within a domain?


File sharing via NFS with “sec=sys” is just about the only obstruction I can think of. Otherwise, uid/gids are local to each machine, and it is sufficient to allow each machine to perform its own unique mapping from “valid username” to uid.


So if I either prohibit NFS entirely or insist on “sec=krb5”, could I have a gaggle of linux boxes which individually allocate uids and gids as they encounter valid Kerberos credentials?


Sorry for wandering into the abstract there…this seemed an appropriate venue for determining whether such a scheme was viable.



This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.