On Wed, 2016-08-24 at 15:19 +0200, Jakub Hrozek wrote:
On Wed, Aug 24, 2016 at 01:33:33PM +0200, Lukas Slebodnik wrote:
>
> On (24/08/16 09:10), Joakim Tjernlund wrote:
> >
> > On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote:
> > >
> > > On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote:
> > > >
> > > >
> > > > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote:
> > > > >
> > > > >
> > > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote:
> > > > > >
> > > > > >
> > > > > > On 24.8.2016 09:03, Joakim Tjernlund wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Getting to the of our AD domain migration but there is
one step I haven't solved.
> > > > > > > Our users has UID/GID in the new domain while the
already present users in the new domain
> > > > > > > does not. Assigning UID/GID to all users does not sit
well with upstream IT so I am
> > > > > > > looking at what to do with these when they
visit/access our site.
> > > > > > >
> > > > > > > What comes to mind is partial id_mapping, if a user
had UID/GID in the AD use that, otherwise
> > > > > > > do id_mapping for that user(preferably the same way
samba does it since we already have a
> > > > > > > samba
> > > > > > > based interim solution).
> > > > > > >
> > > > > > > I haven't found a way to do that in sssd, is
there?
> > > > > > > Maybe I am just full of it and this is really a bad
idea?
> > > > > >
> > > > > > Are you using FreeIPA? FreeIPA got support for "ID
Views" which can be used
> > > > > > for this purpose. (I'm not very sure about pure-SSSD
case.)
> > >
> > > It is also possible in the pure-SSSD case, see man sss_override for
> > > details.
> > >
> > > >
> > > >
> > > > >
> > > > >
> > > > >
> > > > > I wish, but this is a Windows AD :(
> > > >
> > > > Petr had IPA-AD trusts in mind, I guess.
> > > >
> > > > Partial ID mapping is not possible, sorry.
> > >
> > > yes, SSSD cannot do this automatically because we can never be sure that
> > > a UID/GID attribute will be added in future to a user who currently
> > > does not have them set.
> >
> > I see, but does not sssd refresh/check cached values against AD regularly?
> > Or mark the non UID/GID user as do not cache?
> >
> I am not sure you understand it correctly.
>
> sssd does not support partial ID mapping intentionally.
>
> let's image. The partial ID mapping would be enabled but neither of
> uses have posix attibutes. So sssd would generate UID/GID from SID.
>
> Then later someone decide to add UID and GID into Active Directory.
> But there is a chance that administrator would not be carefull
> and assign IDs which are already generated from SID for another user.
> If the another user had higer privileges then it would be a security problem.
...also files would had to be chown-ed, so at the very least there is a
huge annoyance to the admins and risk to locking out users away from
their files because you forget to chown some files..
OK, so no good way to fix this problem as it is now.
But, so I am sure, if we were get a subdomain to
INFINERA.COM say
SE.INFINERA.COM it would
be
possible to have UID/GID in
SE.INFINERA.COM and idmapping in INFINERA.COM?
What about group membership, can a
SE.INFINERA.COM user be in a group in
INFINERA.COM and
vice versa?
But the we would have to deal with TRANSMODE.SE(old to be retired),
SE.INFINERA.COM and
INFINERA.COM in
sssd.conf et. all?
Jocke