On Чцв, 29 мая 2025, Daniel Ruiz via FreeIPA-users wrote:
Hello,
First of all, sorry if my question is very simple but I'm new in
Free-IPA. I want to migrate my current NIS configuration
(ypserv+ypbind) with shared NFS home folders. I have a script to add
all my NIS users to IPA assigning 6th field from /etc/passwd as
"--homedir". In my scenario, all users log in computers that acts as
"YP clients", so when they log in, $HOME folders has been created
before in my NFS server and have UID/GID assigned correctly.
Now, with Free-IPA, if I create a new user in the server, I need to
create before his/her folder, because that user will log in in a
Free-IPA client computer and user folders are mounted using NFS.
So my question is: when I create that folder in the server, what
uid/gid must I assign if user is not already created? I have read in
some webs that if user folders are shared in a NFS environment, that
users folders must be created before user first login... but if I
create user folder before "ipa user-add", how can I know gid/uid that I
must apply in "ipa user-add" command? I have read that uid/gid from
system are not the same that uid/gid I can check with "ipa user-show".
It is FreeIPA, not Free-IPA. We use a shortcut 'IPA' to talk about a
particular FreeIPA deployment. Not that this does matter much, I'm
mostly confused on what you are doing here. Typically, when you are
moving from NIS to a different centralized environment, like FreeIPA,
what you need to do is:
- import user entries into new system, ideally preserving the POSIX
attributes
- reconfigure client systems to use new identity system
- allow users to login again
If you have NFS for their home directories and those NFS
shares/subfolders for the home directories already exist with old
UID/GID values, then if you'd ensure that users in FreeIPA were created
with the same UID/GID values, you don't need to do anything on the
client other than ensuring the automount of NFS shares works for them.
In order to preserve UID/GID values from NIS maps to FreeIPA, you'd need
to pass those values explicitly to 'ipa user-add'. In contemporary
FreeIPA versions we require a bit more work though as those IDs must be
part of some ID range that IPA mantains. This is because the user
creation process involves also adding some non-POSIX attributes which
are important for authentication and authorization purposes. Kerberos
tickets issued by FreeIPA KDCs contain special structure, PAC, based on
MS-PAC specification from Active Directory. A key point of PAC content
is referencing any object there through a so-called 'security
identifier', SID. When you add a user into IPA, it will get a SID
assigned automatically based on its UID -- if only that UID is within at
least one of the local ID ranges IPA deployment has defined.
You can read more details in
https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html
So, when adding users with 'ipa user-add foo --uid=12345
--gidnumber=54321', you need to make sure that
- UID 12345 belongs to a certain ID range in IPA that can be used to
allocate SIDs
- GID 54321 also resolves to a specific group in IPA and there exists
an ID range in IPA that can be used to allocate a SID to this group
Users can authenticate with Kerberos even if their POSIX properties
violate these requirements, but they will not be able to use Kerberos
services which require presence of PAC structures in the tickets. IPA
API is one of those, but there are more. SSSD on IPA enrolled systems
performs validation of PAC presence, for example, and that should
prevent users from being able to login.
Anyway, back to your NIS client to SSSD client transformation. Once you
have enrolled a former NIS client to IPA, it will be able to see all
users defined in IPA, so for existing users nothing should change then.
For new users you should create those NFS directories before they'd
login. Obviously, this should happen after they were created in IPA if
you are not assigning explicit UID/GID values yourself. At the creation
time then IPA will assign new UID/GID values and after that you'd create
a user.
We don't have a mechanism to trigger NFS share creation after a user was
created. This is typically a custom and manual process, very much
specific to your deployment. What we do have now, though, is a way to
listen on operations performed through IPA API and react for those. See
https://freeipa.readthedocs.io/en/latest/designs/audit-ipa-api.html for
more details.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
